From fe8a27dbed462a55c7f5cdfd993664abb07ce997 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 8 Feb 2017 21:36:43 +0000 Subject: core network revision --- core/conf/hosts | 18 ++-------- core/conf/iptables/rules.v4 | 88 +++++++++++++++++++++++++++------------------ core/conf/rc.conf | 2 +- core/conf/rc.d/net | 7 ++-- core/conf/rc.d/wlan | 67 +++++++++++++++++----------------- 5 files changed, 93 insertions(+), 89 deletions(-) (limited to 'core/conf') diff --git a/core/conf/hosts b/core/conf/hosts index 449949b..4069af5 100644 --- a/core/conf/hosts +++ b/core/conf/hosts @@ -3,25 +3,11 @@ # # IPv4 LocalHosts 127.0.0.1 localhost.localdomain localhost -127.0.0.1 c9.core c9 - -127.0.0.1 wiki.localhost -127.0.0.1 git.localhost -127.0.0.1 doc.localhost -127.0.0.1 ports.localhost - -# IPv4 Intranet -# - -10.0.0.254 c9.core -10.0.0.254 wiki.c9.core -10.0.0.254 git.c9.core -10.0.0.254 doc.c9.core -10.0.0.254 ports.c9.core +127.0.0.1 c9.core c9 # IPv4 Internet # -10.0.0.254 core.privat-network.net +10.0.0.1 c9.core.cx # IPv6 #::1 ip6-localhost ip6-loopback diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 848603c..419962f 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -48,43 +48,49 @@ COMMIT # # Allow established from dns server -#-A INPUT -i wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - +#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # INPUT accept passive --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT -# Allow established from http server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT + + +# Allow irc +-A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow xmmp +-A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow established from https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow established from http server +-A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from rsync server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from pop3s server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from smtps server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from ntp server --A INPUT -i wlp7s0 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from whois server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from ftp server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT ################################################################################## # INPUT # New and established connections to local servers # # INPUT accept from wlp7s0 to dns server --A INPUT -i wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +#-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # INPUT accept from wlp7s0 to https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # INPUT accept from wlp7s0 to ssh server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT -A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 @@ -97,35 +103,47 @@ COMMIT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -# Allow dns -#-A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ssh clients +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow to dns +#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow from dns server +#-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow irc +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow xmmp +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + # Allow to rsync server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to pop3s server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to smtps server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to ntp server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to ftp server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to https server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to http server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ################################################################################## # Output # Connections from local servers # -# Allow from ssh server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow from dns server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT + -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 COMMIT diff --git a/core/conf/rc.conf b/core/conf/rc.conf index a9fffb8..661500c 100644 --- a/core/conf/rc.conf +++ b/core/conf/rc.conf @@ -7,6 +7,6 @@ KEYMAP=dvorak TIMEZONE="Europe/Lisbon" HOSTNAME=c9 SYSLOG=sysklogd -SERVICES=(lo net crond) +SERVICES=(lo iptables wlan crond) # End of file diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index 53224af..e512dc7 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -4,7 +4,8 @@ # # Connection type: "DHCP" or "static" -TYPE="static" +#TYPE="static" +TYPE="DHCP" # For "static" connections, specify your settings here: # To see your available devices run "ip link". @@ -33,8 +34,8 @@ case $1 in else /sbin/ip route del default dev ${DEV} /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} + /sbin/ip link set ${DEV} down + /sbin/ip addr flush dev ${DEV} fi ;; restart) diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index 894a69c..d009c1c 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -2,53 +2,52 @@ # # /etc/rc.d/wlan: start/stop wireless interface # + DEV=wlp7s0 + SSD=/sbin/start-stop-daemon PROG_DHCP=/sbin/dhcpcd PROG_WIFI=/usr/sbin/wpa_supplicant -PID_DHCP=/var/run/dhcpcd-${DEV}.pid +PID_DHCP=/var/run/dhcpcd.pid PID_WIFI=/var/run/wpa_supplicant.pid -OPTS_DHCP="-h $(/bin/hostname) -C resolv.conf $DEV" +OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV" OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV" + print_status() { - $SSD --status --pidfile $2 - case $? in - 0) echo "$1 is running with pid $(cat $2)" ;; - 1) echo "$1 is not running but the pid file $2 exists" ;; - 3) echo "$1 is not running" ;; - 4) echo "Unable to determine the program status" ;; - esac + $SSD --status --pidfile $2 + case $? in + 0) echo "$1 is running with pid $(cat $2)" ;; + 1) echo "$1 is not running but the pid file $2 exists" ;; + 3) echo "$1 is not running" ;; + 4) echo "Unable to determine the program status" ;; + esac } case $1 in - start) - $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ - $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP - RETVAL=$? - ;; - stop) - ( $SSD --stop --retry 10 --pidfile $PID_DHCP - $SSD --stop --retry 10 --pidfile $PID_WIFI ) - RETVAL=$? - /sbin/ip route del default dev ${DEV} - /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} - ;; - restart) - $0 stop - $0 start - ;; - status) - print_status $PROG_WIFI $PID_WIFI - print_status $PROG_DHCP $PID_DHCP - ;; - *) - echo "Usage: $0 [start|stop|restart|status]" - ;; + start) + $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ + $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP + RETVAL=$? + ;; + stop) + ( $SSD --stop --retry 10 --pidfile $PID_DHCP + $SSD --stop --retry 10 --pidfile $PID_WIFI ) + RETVAL=$? + ;; + restart) + $0 stop + $0 start + ;; + status) + print_status $PROG_WIFI $PID_WIFI + print_status $PROG_DHCP $PID_DHCP + ;; + *) + echo "Usage: $0 [start|stop|restart|status]" + ;; esac exit $RETVAL -- cgit 1.4.1-2-gfad0 From bb078eb6dcd67616e4e57b8df7cf8bc0dbd8ffa9 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 18 Feb 2017 06:59:21 +0000 Subject: install update to crux 3.3 --- core/conf/exim/exim.conf | 4 +- core/conf/fstab | 47 +- core/conf/ports/6c37.httpup | 5 - core/conf/rc.conf | 2 +- core/conf/rc.d/net | 18 +- core/conf/rc.d/wlan | 57 +- core/conf/resolv.conf | 9 +- core/conf/sysctl.conf | 29 +- core/configure.html | 93 +- core/index.html | 14 +- core/install.html | 226 +- core/package.html | 4 +- core/ports.html | 4 +- core/ports/linux-libre/.footprint | 555 +-- core/ports/linux-libre/.md5sum | 10 +- core/ports/linux-libre/Pkgfile | 65 +- core/ports/linux-libre/config-c9 | 4708 ++++++++++++++++++++ core/ports/linux-libre/port-cpu.patch | 11 + core/ports/linux-libre/port-grsecurity.patch | 62 + core/ports/linux-libre/port-libre-cpu.patch | 11 + core/ports/linux-libre/port-libre-grsecurity.patch | 76 + core/ports/linux-libre/port-libre-make.patch | 11 + core/reboot.html | 23 +- core/scripts/act-chroot.sh | 47 +- core/scripts/backup-system.sh | 5 +- core/scripts/setup-install.sh | 153 +- core/scripts/setup-iso.sh | 50 +- core/scripts/setup-target.sh | 24 +- 28 files changed, 5385 insertions(+), 938 deletions(-) delete mode 100644 core/conf/ports/6c37.httpup create mode 100644 core/ports/linux-libre/config-c9 create mode 100644 core/ports/linux-libre/port-cpu.patch create mode 100644 core/ports/linux-libre/port-grsecurity.patch create mode 100644 core/ports/linux-libre/port-libre-cpu.patch create mode 100644 core/ports/linux-libre/port-libre-grsecurity.patch create mode 100644 core/ports/linux-libre/port-libre-make.patch (limited to 'core/conf') diff --git a/core/conf/exim/exim.conf b/core/conf/exim/exim.conf index 47a6094..074c8af 100644 --- a/core/conf/exim/exim.conf +++ b/core/conf/exim/exim.conf @@ -539,7 +539,9 @@ acl_check_data: # Deny if the message contains an overlong line. Per the standards # we should never receive one such via SMTP. # - deny condition = ${if > {$max_received_linelength}{998}} + deny message = maximum allowed line length is 998 octets, \ + got $max_received_linelength + condition = ${if > {$max_received_linelength}{998}} # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. diff --git a/core/conf/fstab b/core/conf/fstab index 67bc4e4..da3c9dd 100644 --- a/core/conf/fstab +++ b/core/conf/fstab @@ -13,52 +13,9 @@ #/dev/cdrom /cdrom iso9660 ro,user,noauto,unhide 0 0 #/dev/dvd /dvd udf ro,user,noauto,unhide 0 0 #/dev/floppy/0 /floppy vfat user,noauto,unhide 0 0 -#devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 +devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 #tmp /tmp tmpfs defaults 0 0 -shm /dev/shm tmpfs defaults 0 0 +#shm /dev/shm tmpfs defaults 0 0 #usb /proc/bus/usb usbfs defaults 0 0 -devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 - -#/ -#/dev/sda3: -UUID=c8776551-2a98-4335-9fcd-e337331216dd / ext4 defaults 0 0 - -#/boot -#/dev/sda2: -UUID=3b408790-65e1-4638-9591-7ba61f266913 /boot ext4 defaults,nodev,noexec,nosuid 0 0 - -#/boot/efi -#/dev/sda1: -UUID=962D-0DE1 /boot/efi vfat umask=0077 0 0 - -#/var -#/dev/sda4: -UUID=f0b112e2-6761-472f-b41e-e9c8ccd27702 /var ext4 defaults,nodev,noexec,nosuid 0 0 - -#/usr -#/dev/sda6: -UUID=35755a81-89b2-4f84-a945-5185d1d3b10b /usr ext4 defaults,nodev 0 0 - -#/tmp -#/dev/sda5: -UUID=1325ee41-27c9-4621-ab69-125bb6e1c63b /tmp ext4 defaults,nodev,nosuid,noexec 0 0 - -#/home -#/dev/sda7 -UUID=0ccd903c-b9e2-425f-bd30-78682ffce361 /home ext4 defaults,nodev,nosuid 0 0 - - -#/usr/ports -#/dev/sda8 -#UUID=d1df6743-d3cb-4d5a-badb-96cef3181095 /usr/ports ext4 defaults,nodev,nosuid,noexec 0 0 - -#/usr/ports/work -pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=101,defaults 0 0 - - -#swap -#/dev/sda9: -UUID=2925bf9d-6111-43cb-ab3f-2d95c55e40ca none swap sw 0 0 - # End of file diff --git a/core/conf/ports/6c37.httpup b/core/conf/ports/6c37.httpup deleted file mode 100644 index dbc9422..0000000 --- a/core/conf/ports/6c37.httpup +++ /dev/null @@ -1,5 +0,0 @@ -# Collection 6c37, by kori at openmailbox dot org -# File generated by the CRUX portdb http://crux.nu/portdb/ - -ROOT_DIR=/usr/ports/6c37 -URL=https://raw.githubusercontent.com/6c37/crux-ports/3.2/ diff --git a/core/conf/rc.conf b/core/conf/rc.conf index 661500c..ef31a33 100644 --- a/core/conf/rc.conf +++ b/core/conf/rc.conf @@ -7,6 +7,6 @@ KEYMAP=dvorak TIMEZONE="Europe/Lisbon" HOSTNAME=c9 SYSLOG=sysklogd -SERVICES=(lo iptables wlan crond) +SERVICES=(lo iptables net crond) # End of file diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index e512dc7..07c46a5 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -4,18 +4,18 @@ # # Connection type: "DHCP" or "static" -#TYPE="static" TYPE="DHCP" # For "static" connections, specify your settings here: # To see your available devices run "ip link". -DEV=enp8s0 -ADDR=192.168.1.9 +DEV=enp11s0 +ADDR=192.168.1.100 MASK=24 -GW=192.168.1.254 +GW=192.168.1.1 # Optional settings: -DHCPOPTS="-h $(/bin/hostname) -C resolv.conf $DEV" +#DHCPOPTS="-h $(/bin/hostname) -C resolv.conf $DEV" +DHCPOPTS="-t 10" case $1 in start) @@ -29,13 +29,17 @@ case $1 in ;; stop) if [ "${TYPE}" = "DHCP" ]; then - /usr/bin/pkill -F /var/run/dhcpcd-${DEV}.pid - + /sbin/dhcpcd -x else + #/sbin/ip route del default + #/sbin/ip link set ${DEV} down + #/sbin/ip addr del ${ADDR}/${MASK} dev ${DEV} + /sbin/ip route del default dev ${DEV} /sbin/ip route flush dev ${DEV} /sbin/ip link set ${DEV} down /sbin/ip addr flush dev ${DEV} + fi ;; restart) diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index d009c1c..8800148 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -17,40 +17,39 @@ OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV" print_status() { - $SSD --status --pidfile $2 - case $? in - 0) echo "$1 is running with pid $(cat $2)" ;; - 1) echo "$1 is not running but the pid file $2 exists" ;; - 3) echo "$1 is not running" ;; - 4) echo "Unable to determine the program status" ;; - esac + $SSD --status --pidfile $2 + case $? in + 0) echo "$1 is running with pid $(cat $2)" ;; + 1) echo "$1 is not running but the pid file $2 exists" ;; + 3) echo "$1 is not running" ;; + 4) echo "Unable to determine the program status" ;; + esac } case $1 in - start) - $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ - $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP - RETVAL=$? - ;; - stop) - ( $SSD --stop --retry 10 --pidfile $PID_DHCP - $SSD --stop --retry 10 --pidfile $PID_WIFI ) - RETVAL=$? - ;; - restart) - $0 stop - $0 start - ;; - status) - print_status $PROG_WIFI $PID_WIFI - print_status $PROG_DHCP $PID_DHCP - ;; - *) - echo "Usage: $0 [start|stop|restart|status]" - ;; + start) + $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ + $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP + RETVAL=$? + ;; + stop) + ( $SSD --stop --retry 10 --pidfile $PID_DHCP + $SSD --stop --retry 10 --pidfile $PID_WIFI ) + RETVAL=$? + ;; + restart) + $0 stop + $0 start + ;; + status) + print_status $PROG_WIFI $PID_WIFI + print_status $PROG_DHCP $PID_DHCP + ;; + *) + echo "Usage: $0 [start|stop|restart|status]" + ;; esac exit $RETVAL # End of file - diff --git a/core/conf/resolv.conf b/core/conf/resolv.conf index 8a85b42..4c22142 100644 --- a/core/conf/resolv.conf +++ b/core/conf/resolv.conf @@ -1,3 +1,8 @@ -# /etc/resolv.conf.head can replace this line +# +# /etc/resolv.conf: resolver configuration file +# + +#search +#nameserver nameserver 213.73.91.35 -# /etc/resolv.conf.tail can replace this line +# End of file diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index b74243b..b419628 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -2,7 +2,7 @@ # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # -kernel.printk = 1 4 1 7 +kernel.printk = 15 1 1 4 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 @@ -10,13 +10,13 @@ net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 -# net.ipv6.conf.default.router_solicitations = 0 -# net.ipv6.conf.default.accept_ra_rtr_pref = 0 -# net.ipv6.conf.default.accept_ra_pinfo = 0 -# net.ipv6.conf.default.accept_ra_defrtr = 0 -# net.ipv6.conf.default.autoconf = 0 -# net.ipv6.conf.default.dad_transmits = 0 -# net.ipv6.conf.default.max_addresses = 0 +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.default.dad_transmits = 0 +net.ipv6.conf.default.max_addresses = 0 # Avoid a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1 @@ -98,5 +98,16 @@ net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 -# End of file +# Grsecurity stuff + +# cant chroot to outside chroot used to break chroot +kernel.grsecurity.chroot_deny_chroot = 1 +# function related to filesystems used to exploit +kernel.grsecurity.chroot_deny_pivot = 1 +# enforce current directory to chroot +kernel.grsecurity.chroot_enforce_chdir = 1 +# cant chmod inside chroot used to break chroot +kernel.grsecurity.chroot_deny_chmod = 0 + +# End of file diff --git a/core/configure.html b/core/configure.html index d025de8..d3d9318 100644 --- a/core/configure.html +++ b/core/configure.html @@ -171,8 +171,21 @@

1.2.4.2. Create Administrator User

+

Description of most default pretinent groups;

+ +
+
adm
+
Administration group.
+
ftp
+
Access to files served by ftp.
+
users
+
Standard users group.
+
wheel
+
Administration group used to give access to sudo.
+
+ 
-        # useradd -U -m -k /etc/skel -s /bin/bash c9admin
+        # useradd -m -k /etc/skel -s /bin/bash -U -G adm,wheel,audio,video,users c9admin
         # passwd c9admin
@@ -217,64 +230,20 @@ # /etc/fstab: static file system information # # <file system> <dir> <type> <options> <dump> <pass> - - #/dev/#EXT4FS_ROOT# / ext4 defaults 0 1 - #/dev/#BTRFS_ROOT# / btrfs defaults 0 0 - #/dev/#XFS_ROOT# / xfs defaults 0 0 - #/dev/#SWAP# swap swap defaults 0 0 - #/dev/#EXT4FS_HOME# /home ext4 defaults 0 2 - #/dev/#BTRFS_HOME# /home btrfs defaults 0 0 - #/dev/#XFS_HOME# /home xfs defaults 0 0 - #/dev/cdrom /cdrom iso9660 ro,user,noauto,unhide 0 0 - #/dev/dvd /dvd udf ro,user,noauto,unhide 0 0 - #/dev/floppy/0 /floppy vfat user,noauto,unhide 0 0 - #tmp /tmp tmpfs defaults 0 0 - shm /dev/shm tmpfs defaults 0 0 - #usb /proc/bus/usb usbfs defaults 0 0 - - devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 - - #/ - #/dev/sda3: - UUID=c8776551-2a98-4335-9fcd-e337331216dd / ext4 defaults 0 0 - - #/boot - #/dev/sda2: - UUID=3b408790-65e1-4638-9591-7ba61f266913 /boot ext4 defaults,nodev,noexec,nosuid 0 0 - - #/boot/efi - #/dev/sda1: - UUID=962D-0DE1 /boot/efi vfat umask=0077 0 0 - - #/var - #/dev/sda4: - UUID=f0b112e2-6761-472f-b41e-e9c8ccd27702 /var ext4 defaults,nodev,noexec,nosuid 0 0 - - #/usr - #/dev/sda6: - UUID=35755a81-89b2-4f84-a945-5185d1d3b10b /usr ext4 defaults,nodev 0 0 - - #/tmp - #/dev/sda5: - UUID=1325ee41-27c9-4621-ab69-125bb6e1c63b /tmp ext4 defaults,nodev,nosuid,noexec 0 0 - - #/home - #/dev/sda7 - UUID=0ccd903c-b9e2-425f-bd30-78682ffce361 /home ext4 defaults,nodev,nosuid 0 0 - - - #/usr/ports - #/dev/sda8 - #UUID=d1df6743-d3cb-4d5a-badb-96cef3181095 /usr/ports ext4 defaults,nodev,nosuid,noexec 0 0 - - #/usr/ports/work - pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=101,defaults 0 0 - - - #swap - #/dev/sda9: - UUID=2925bf9d-6111-43cb-ab3f-2d95c55e40ca none swap sw 0 0 - + /dev/sda4 on / type ext4 (rw,relatime,data=ordered) + /dev/sda3 on /boot type ext4 (rw,relatime,data=ordered) + /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro) + /dev/sda5 on /var type ext4 (rw,relatime,data=ordered) + /dev/sda6 on /usr type ext4 (rw,relatime,data=ordered) + /dev/sda8 on /home type ext4 (rw,relatime,data=ordered) + + devtmpfs on /dev type devtmpfs (rw,nosuid,noatime,size=8192k,nr_inodes=16384,mode=755) + devpts on /dev/pts type devpts (rw,relatime,mode=600) + shm on /dev/shm type tmpfs (rw,relatime) + proc on /proc type proc (rw,relatime) + sysfs on /sys type sysfs (rw,relatime) + + pkgmk /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0 0 # End of file @@ -286,7 +255,7 @@

Edit /etc/rc.conf and define keyboard layout, hostname and timezone, more information about - configuration variables. + configuration variables. 

@@ -299,14 +268,14 @@
         TIMEZONE="Europe/Lisbon"
         HOSTNAME=c9
         SYSLOG=sysklogd
-        SERVICES=(lo net crond)
+        SERVICES=(lo iptables wlan crond)
 
         # End of file
Core OS Index

This is part of the c9 Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.

diff --git a/core/index.html b/core/index.html index d3eff38..bc8dad5 100644 --- a/core/index.html +++ b/core/index.html @@ -9,25 +9,25 @@

c9 Core OS

-

c9 Core OS covers installation, basic commands and - functionality of Crux 3.2 Gnu\Linux operating system. +

c9 Core OS covers installation and configuration of + basic functionality of Crux 3.3 Gnu\Linux operating system. This documentation try's to follow Crux HandBook installation method diverges, for example, by only installing and documenting gpt and grub2.

-

Read Crux HandBook, +

Read Crux HandBook, you can ask for help on freenode #crux. Check scripts folder the install process is automated and ports for extra ports used during the installation.

-

1. Install Crux 3.2 Gnu/Linux

+

1. Install Crux 3.3 Gnu/Linux

    -
  • 1.1. Install Crux 3.2 +
  • 1.1. Install Crux 3.3
    • 1.1.1. Download
      • -
    • 1.1.2. Prepare Target
      • -
    • 1.1.3. Prepare Install
      • +
    • 1.1.2. Prepare target
      • +
    • 1.1.3. Prepare install
    • 1.1.4. Install
    • 1.1.5. Install extra packages
    • 1.1.6. Install extra ports
      • diff --git a/core/install.html b/core/install.html index be98a0d..5939e7a 100644 --- a/core/install.html +++ b/core/install.html @@ -2,20 +2,20 @@ - 1.1. Install Crux 3.2 + 1.1. Install Crux 3.3 Core OS Index -

      1.1. Install Crux 3.2

      +

      1.1. Install Crux 3.3

      -

      Installation of minimal Crux 3.2 Gnu\Linux system, +

      Installation of minimal Crux 3.3 Gnu\Linux system, with selected packages from core, opt and contrib ports. Process of installation documented can be executed from iso or from existing gnu\linux installation. Read - Hand book 3.2, + Hand book 3.3, .

      If you are booting from crux iso and is not your keyboard @@ -25,28 +25,34 @@ # loadkeys dvorak -

      1.1.1. Download Iso

      +

      1.1.1. Download iso

      - Download Page +

      Visit crux + download page for + more notes before downloading iso. Script + setup-iso.sh downloads + iso from master repo and checks md5sum.

      -        $ curl -k -O https://serverop.de/crux/crux-3.2/iso/crux-3.2.iso
-        $ curl -k -O https://serverop.de/crux/crux-3.2/iso/crux-3.2.md5
-        $ md5sum crux-3.2.iso
-        2e4144590f6b340de2580255ad21620e  crux-3.2.iso
+        $ curl -k -O https://serverop.de/crux/crux-3.3/iso/crux-3.3.iso
+        $ curl -k -O https://serverop.de/crux/crux-3.3/iso/crux-3.3.md5
+        $ md5sum crux-3.3.iso
+        b82134d40c9947580f7510694f6970de  crux-3.3.iso
      -

      1.1.2. Prepare Target

      +

      1.1.2. Prepare target

      Prepare disk or target location where new system will be installed. Follow steps describe how to create efi and separate partitions such as; - bios grub, EFI, swap, boot, root, var, usr and home. - Information about - gpt partition table. -

      + bios grub, EFI, boot, root, var, usr, swap and home. + For more information about gpt partitions table read + devil-detail grub2 on gpt. + Script setup-target.sh + creates follow partitions;

      Create gpt label and set unit size to use;

      + 
               (parted) mklabel gpt
         (parted) unit mib
@@ -69,107 +75,115 @@
         installations. Partition size 128M;
      
 
         
      -        (parted) mkpart ESP fat32 3 131
-        (parted) name 2 boot
+        (parted) mkpart ESP fat32 3 125
+        (parted) name 2 efi
         (parted) set 2 boot on
         
      
 
-        
      Swap (ram)
      
+        
      /boot
      
 
-        
      Swap partition general advice is same size as memory ram,
-        ports system configured to build on ram need at least 34G
-        to build firefox. Other swap partitions can be added later for port
-        build on ram. Partition size 512M;
      
+        
      Boot partition. Partition with 1G provide room for kernels
+        and crux iso that can be directly boot from grub (without root
+        partition). Partition size 1G;
      
 
         
      -        (parted) mkpart primary linux-swap 131 643
-        (parted) name 3 swap
+        (parted) mkpart primary ext4 125 1128
+        (parted) name 3 boot
         
      
 
-        
      /boot
      
+        
      /
      
 
-        
      Boot partition. Partition with 1G provide room for kernels and
-        crux iso that can be directly boot from grub (without root partition).
-        Partition size 1G;
      
+        
      Normal core crux installation root partition uses
+        approximately 2G, without /usr 200MB-500M. Minimum 2G
+        is recommended to give room to root home directory with
+        dedicated (separated) usr and var partition.
+        Partition size 4G;
      
 
         
      -        (parted) mkpart primary ext4 643 1667
-        (parted) name 4 boot
+        (parted) mkpart primary ext4 1128 5128
+        (parted) name 4 root
         
      
 
-        
      /
      
+        
      /var
      
 
-        
      Normal core crux installation root partition uses approximately 2G,
-        without /usr 200MB-500M. Minimum 2G is recommended. Partition size 2.4G;
      
+        
      Var partition is recommended 1G-5G depending on how
+        system is configured. Partition size 1G;
 
         
      -        (parted) mkpart primary ext4 1667 4096
-        (parted) name 5 root
+        (parted) mkpart primary ext4 5128 6128
+        (parted) name 5 var
         
      
 
-        
      Core system can be installed from here, additional partitions can be
-        created now or later.
      
-
-        
      /var
      
+        
      /usr
      
 
-        
      Var partition is recommended 100MiB-500MiB. Partition size 1G;
+        
      User partition with 4G-8G is recommended for a desktop
+        setup, with dedicated partition for ports. Partition size
+        8G;
 
         
      -        (parted) mkpart primary ext4 4096 5120
-        (parted) name 6 var
+        (parted) mkpart primary ext4 6128 14128
+        (parted) name 6 usr
         
      
 
-        
      /usr
      
+        
      Swap (ram)
      
 
-        
      User partition with 4G-8G is recommended for a desktop setup, we will use 8G;
+        
      Swap partition general advice is to have the same size as
+        memory ram, ports system will be configured to build on ram.
+        To build firefox is necessary at least 34G, swap partitions
+        will be added to lvm and this partition removed.
+        Partition size 4G;
      
 
         
      -        (parted) mkpart primary ext4 5120 13312
-        (parted) name 7 usr
+        (parted) mkpart primary linux-swap 14128 18128
+        (parted) name 3 swap
         
      
 
         
      /home
      
 
-        
      Home partition can have limited size for later creation of lvm or fill the rest of
-        disk space;
+        
      Home partition general advice is to fill the rest of disk
+        space. Home partition will be added later to lvm and this 
+        partition removed. Fill the rest of disk space;
 
         
      -        (parted) mkpart primary ext4 13312 -1
+        (parted) mkpart primary ext4 18128 100%
         (parted) name 8 home
         
      
 
-        
      Create filesystems
      
+        
      1.1.3. Prepare Install
      
 
-        
      -       $ export BLK_EFI=/dev/sda2
-       $ export BLK_SWAP=/dev/sda3
-       $ export BLK_BOOT=/dev/sda4
-       $ export BLK_ROOT=/dev/sda5
-       $ export BLK_VAR=/dev/sda6
-       $ export BLK_USR=/dev/sda7
-       $ export BLK_HOME=/dev/sda8
-        
      
+        
      From now on script
+        setup-install.sh
+        create file systems, install packages, configure host
+        metadata and setup ports;
      
 
         
      -        $ sudo mkfs.fat -F 32  $BLK_EFI
+        $ export CHROOT=/mnt
         
      
 
-        
      -        $ sudo mkswap $BLK_SWAP
-        
      
+        
      Create filesystems
      
 
         
      -       $ sudo mkfs.ext4 $BLK_BOOT
-       $ sudo mkfs.ext4 $BLK_ROOT
-       $ sudo mkfs.ext4 $BKL_VAR
-       $ sudo mkfs.ext4 $BKL_USR
-       $ sudo mkfs.ext4 $BKL_HOME
+        $ export DEV=/dev/sda
         
      
 
-        
      1.1.3. Prepare Install
      
+        
      +        $ export BLK_EFI="${DEV}2"
+        $ export BLK_BOOT="${DEV}3"
+        $ export BLK_ROOT="${DEV}4"
+        $ export BLK_VAR="${DEV}5"
+        $ export BLK_USR="${DEV}6"
+        $ export BLK_SWP="${DEV}7"
+        $ export BLK_HOME="${DEV}8"
+       
      
 
         
      -        $ export CHROOT=/mnt
+        $ sudo mkfs.fat -F 32  $BLK_EFI
+        $ sudo mkfs.ext4 $BLK_BOOT
+        $ sudo mkfs.ext4 $BLK_ROOT
+        $ sudo mkfs.ext4 $BKL_VAR
+        $ sudo mkfs.ext4 $BKL_USR
+        $ sudo mkswap $BLK_SWAP
+        $ sudo mkfs.ext4 $BKL_HOME
         
      
 
         
      @@ -217,7 +231,7 @@
         
               # modprobe isofs
         # modprobe loop
-        # mount -o loop crux-3.2.iso $CHROOT/media
+        # mount -o loop crux-3.3.iso $CHROOT/media
         
      
 
         
      1.1.4. Install Crux
      
@@ -232,17 +246,13 @@
         
      Install temporary pkgadd on $CHROOT;
      
 
         
      -        $ sudo tar xf /media/crux/core/pkgutils#5.36-2.pkg.tar.xz usr/bin/pkgadd -O > $CHROOT/pkgadd
+        $ sudo tar xf /media/crux/core/pkgutils#5.40-1.pkg.tar.xz usr/bin/pkgadd -O > $CHROOT/pkgadd
         $ sudo chmod +x $CHROOT/pkgadd
         
      
 
         
      Edit $CHROOT/core.lst with your preferences, you can remove
         or add packages from opt collection. Remove lilo if you want
-        grub;
      
-
-        
      -        /mnt/iso/crux/core/lilo#24.1-3.pkg.tar.xz
-        
      
+        grub.
      
 
         
      Create package database, it will contain a list of i
         nstalled packages files.
      
@@ -265,50 +275,44 @@
         
      1.1.5. Install extra packages
      
 
         
      Install additional ports like wireless-tools, grub2
-	and fakeroot 
      
+        and fakeroot;
      
 
         
               cp $CHROOT/media/crux/opt/* $CHROOT/usr/ports/packages
         cp $CHROOT/media/crux/xorg/* $CHROOT/usr/ports/packages
         
      
 
-        
      Install fakeroot and create user account, read
-        ;
      
-
         
      -        # pkgadd /media/crux/opt/fakeroot#1.20.2-1.pkg.tar.xz
+        # chroot $CHROOT /bin/bash
         
      
 
-	
      -	# chroot /mnt /bin/bash
-	
      
-
         
      -        pkgadd /usr/ports/packages/dbus#1.10.2-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/expat#2.1.0-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/libnl#3.2.27-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/libpng#1.6.19-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/freetype#2.6.1-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/libffi#3.2.1-2.pkg.tar.xz
-        pkgadd /usr/ports/packages/sqlite3#3.9.2-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/python#2.7.10-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/glib#2.46.2-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/grub2#2.00-7.pkg.tar.xz
-        pkgadd /usr/ports/packages/grub2-efi#2.00-4.pkg.tar.xz
-        pkgadd /usr/ports/packages/wireless-tools#29-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/wpa_supplicant#2.5-2.pkg.tar.xz
-        pkgadd /usr/ports/packages/lvm2#2.02.133-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/mdadm#3.3.4-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/efivar#0.21-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/efibootmgr#0.12-1.pkg.tar.xz
-        pkgadd /usr/ports/packages/dosfstools#3.0.26-1.pkg.tar.xz
+        pkgadd /usr/ports/packages/fakeroot#*
+        pkgadd /usr/ports/packages/dbus#*
+        pkgadd /usr/ports/packages/expat#*
+        pkgadd /usr/ports/packages/libnl#*
+        pkgadd /usr/ports/packages/libpng#*
+        pkgadd /usr/ports/packages/freetype#*
+        pkgadd /usr/ports/packages/libffi#*
+        pkgadd /usr/ports/packages/sqlite3#*
+        pkgadd /usr/ports/packages/python#*
+        pkgadd /usr/ports/packages/glib#*
+        pkgadd /usr/ports/packages/grub2#*
+        pkgadd /usr/ports/packages/grub2-efi#*
+        pkgadd /usr/ports/packages/wireless-tools#*
+        pkgadd /usr/ports/packages/wpa_supplicant#*
+        pkgadd /usr/ports/packages/lvm2#*
+        pkgadd /usr/ports/packages/mdadm#*
+        pkgadd /usr/ports/packages/efivar#*
+        pkgadd /usr/ports/packages/efibootmgr#*
+        pkgadd /usr/ports/packages/dosfstools#*
         
      
 
-	
      -	# exit
-	
      
+        
      +        # exit
+        
      
 
-	
      +        
               $ sudo rm $CHROOT/pkgadd
         $ sudo rm $CHROOT/core.lst
         
      
@@ -317,7 +321,7 @@
 
         
      Create c9 ports;
      
 
-	
      +        
               $ sudo mkdir $CHROOT/usr/ports/c9-ports
         
      
 
@@ -325,7 +329,7 @@
 
         
               $ sudo cp -r ports/* $CHROOT/usr/ports/c9-ports/
-	
      
+        
      
 
         
      1.1.7. DNS Resolver
      
 
@@ -349,7 +353,7 @@
 
         Core OS Index
         
      This is part of the c9 Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file Gnu Free Documentation License
         for copying conditions.
      
diff --git a/core/package.html b/core/package.html
index 21c029a..475d94b 100644
--- a/core/package.html
+++ b/core/package.html
@@ -12,9 +12,9 @@
 
         
      For more information read crux handbook Package management
         front-end:
-        prt-get
+        prt-get
         and Introduction to
-        pkgutils.
      
+        pkgutils.
      
         
      
 
 
diff --git a/core/ports.html b/core/ports.html
index 1d06877..230e284 100644
--- a/core/ports.html
+++ b/core/ports.html
@@ -20,7 +20,7 @@
 	Add a user that will be used by ports tools, this example pkgmk;
      
 
         
      -        # useradd -U -m -d /usr/ports -s /bin/false pkgmk
+        # useradd -U -M -d /usr/ports -s /bin/false pkgmk
         
      
 
         
      You can add your self to group pkgmk,
      
@@ -67,7 +67,7 @@
 
         
      1.3.3. Configure pkgmk
      
 
-        
      Read 4.5. Adjust/Configure the Package Build Process
+        
      Read 4.5. Adjust/Configure the Package Build Process
         to take advantage of your specific hardware. Packages build with
         native flag will not run on different hardware. This is the best choice
         if you want gcc to find the best settings based on your hardware.
      
diff --git a/core/ports/linux-libre/.footprint b/core/ports/linux-libre/.footprint
index d8198d0..c4fc544 100644
--- a/core/ports/linux-libre/.footprint
+++ b/core/ports/linux-libre/.footprint
@@ -1,506 +1,59 @@
 drwxr-xr-x	root/root	boot/
--rw-r--r--	root/root	boot/System.map-4.1.34-gnu_crux
--rw-r--r--	root/root	boot/config-4.1.34-gnu_crux
--rw-r--r--	root/root	boot/vmlinuz-4.1.34-gnu_crux
+-rw-r--r--	root/root	boot/System.map-4.9.9-grsec
+-rw-r--r--	root/root	boot/config-4.9.9-grsec
+-rw-r--r--	root/root	boot/vmlinuz-4.9.9-grsec
 drwxr-xr-x	root/root	lib/
 drwxr-xr-x	root/root	lib/modules/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/arch/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/arch/x86/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/arch/x86/kernel/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/arch/x86/kernel/iosf_mbi.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/ansi_cprng.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/arc4.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/async_tx/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/async_tx/async_memcpy.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/async_tx/async_pq.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/async_tx/async_raid6_recov.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/async_tx/async_tx.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/async_tx/async_xor.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/cbc.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/ccm.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/crypto_null.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/ctr.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/ecb.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/gcm.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/gf128mul.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/ghash-generic.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/michael_mic.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/seqiv.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/crypto/xts.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/ata_generic.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_ali.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_artop.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_atiixp.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_cmd640.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_cmd64x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_cypress.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_efar.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_hpt366.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_hpt37x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_hpt3x2n.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_hpt3x3.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_it8213.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_it821x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_marvell.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_mpiix.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_netcell.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_ninja32.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_ns87410.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_ns87415.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_oldpiix.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_opti.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_optidma.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_pcmcia.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_pdc2027x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_radisys.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_rz1000.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_sch.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_serverworks.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_sil680.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_sis.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_sl82c105.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_triflex.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pata_via.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/pdc_adma.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_inic162x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_mv.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_promise.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_qstor.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_sil.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_sil24.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_sis.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_svw.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_sx4.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_uli.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_via.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ata/sata_vsc.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/bcma/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/bcma/bcma.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/block/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/block/loop.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/cdrom/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/cdrom/cdrom.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/connector/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/connector/cn.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/firewire/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/firewire/firewire-core.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/firewire/firewire-ohci.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/firewire/firewire-sbp2.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/firmware/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/firmware/efi/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/firmware/efi/efivars.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/hid/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/hid/hid-generic.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/hv/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/hv/hv_balloon.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/hv/hv_utils.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/hwmon/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/hwmon/hwmon.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/i2c/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/i2c/algos/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/i2c/algos/i2c-algo-bit.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/i2c/i2c-core.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/input/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/input/evdev.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/input/mousedev.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/leds/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/leds/led-class.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-bio-prison.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-bufio.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-crypt.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-log.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-mirror.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-mod.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-multipath.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-raid.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-region-hash.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-round-robin.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-snapshot.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/dm-thin-pool.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/md-mod.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/multipath.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/persistent-data/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/persistent-data/dm-persistent-data.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/raid0.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/raid1.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/raid10.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/md/raid456.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/message/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/message/fusion/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/message/fusion/mptfc.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/misc/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/misc/eeprom/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/misc/eeprom/eeprom_93cx6.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/misc/vmw_balloon.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/misc/vmw_vmci/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/misc/vmw_vmci/vmw_vmci.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/mmc/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/mmc/card/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/mmc/card/mmc_block.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/mmc/core/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/mmc/core/mmc_core.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/mmc/host/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/mmc/host/sdhci-pci.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/mmc/host/sdhci.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/3com/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/3com/3c59x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/3com/typhoon.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/8390/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/8390/8390.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/8390/ne2k-pci.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/adaptec/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/adaptec/starfire.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/amd/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/amd/amd8111e.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/amd/pcnet32.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/alx/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/alx/alx.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/atl1c/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/atl1c/atl1c.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/atl1e/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/atl1e/atl1e.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/atlx/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/atlx/atl1.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/atheros/atlx/atl2.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/broadcom/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/broadcom/b44.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/broadcom/bnx2.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/broadcom/bnx2x/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/broadcom/bnx2x/bnx2x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/broadcom/cnic.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/broadcom/tg3.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/brocade/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/brocade/bna/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/brocade/bna/bna.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/cadence/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/cadence/macb.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/cisco/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/cisco/enic/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/cisco/enic/enic.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dec/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dec/tulip/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dec/tulip/de2104x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dec/tulip/de4x5.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dec/tulip/dmfe.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dec/tulip/tulip.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dec/tulip/uli526x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dec/tulip/winbond-840.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dlink/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dlink/dl2k.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/dlink/sundance.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/emulex/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/emulex/benet/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/emulex/benet/be2net.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/hp/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/hp/hp100.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/e100.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/e1000/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/e1000/e1000.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/e1000e/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/igb/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/igb/igb.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/igbvf/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/igbvf/igbvf.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/ixgb/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/ixgb/ixgb.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/ixgbe/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/ixgbevf/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/intel/ixgbevf/ixgbevf.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/marvell/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/marvell/mvmdio.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/marvell/skge.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/marvell/sky2.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/natsemi/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/natsemi/natsemi.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/natsemi/ns83820.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/nvidia/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/nvidia/forcedeth.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/realtek/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/realtek/8139cp.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/realtek/8139too.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/realtek/r8169.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/via/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/via/via-rhine.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/ethernet/via/via-velocity.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/hyperv/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/hyperv/hv_netvsc.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/mdio.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/mii.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/phy/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/phy/libphy.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/virtio_net.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/vmxnet3/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/vmxnet3/vmxnet3.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/ath.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/ath5k/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/ath5k/ath5k.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/ath6kl/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/ath6kl/ath6kl_core.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/ath9k/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/ath9k/ath9k.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/ath9k/ath9k_common.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ath/ath9k/ath9k_hw.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/b43/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/b43/b43.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/b43legacy/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/b43legacy/b43legacy.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ipw2x00/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ipw2x00/ipw2100.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ipw2x00/ipw2200.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/ipw2x00/libipw.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/iwlegacy/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/iwlegacy/iwl3945.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/iwlegacy/iwl4965.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/iwlegacy/iwlegacy.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/iwlwifi/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/iwlwifi/dvm/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/iwlwifi/dvm/iwldvm.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/iwlwifi/iwlwifi.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/rt2400pci.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/rt2500pci.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/rt2800lib.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/rt2800mmio.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/rt2800pci.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/rt2x00lib.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/rt2x00mmio.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/rt2x00pci.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rt2x00/rt61pci.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/btcoexist/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/btcoexist/btcoexist.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8188ee/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8188ee/rtl8188ee.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8192c/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8192c/rtl8192c-common.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8192ce/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8192ce/rtl8192ce.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8192de/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8192de/rtl8192de.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8192se/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8192se/rtl8192se.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8723ae/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8723ae/rtl8723ae.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8723com/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl8723com/rtl8723-common.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtl_pci.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/wireless/rtlwifi/rtlwifi.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/xen-netback/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/xen-netback/xen-netback.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/net/xen-netfront.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/pcmcia/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/pcmcia/i82092.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/pcmcia/pcmcia.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/pcmcia/pcmcia_core.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/pcmcia/pcmcia_rsrc.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/pcmcia/pd6729.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/pcmcia/yenta_socket.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/pps/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/pps/pps_core.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ptp/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ptp/ptp.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/3w-9xxx.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/3w-xxxx.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/BusLogic.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/a100u2w.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/aacraid/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/aacraid/aacraid.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/advansys.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/aic7xxx/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/aic7xxx/aic79xx.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/aic7xxx/aic7xxx.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/aic94xx/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/aic94xx/aic94xx.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/arcmsr/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/arcmsr/arcmsr.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/atp870u.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/dc395x.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/dmx3191d.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/dpt_i2o.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/eata.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/fdomain.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/gdth.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/hpsa.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/hptiop.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/initio.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/ipr.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/ips.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/iscsi_boot_sysfs.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/libiscsi.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/libsas/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/libsas/libsas.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/lpfc/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/lpfc/lpfc.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/megaraid.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/megaraid/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/megaraid/megaraid_mbox.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/megaraid/megaraid_mm.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/megaraid/megaraid_sas.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/mpt2sas/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/mpt2sas/mpt2sas.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/mpt3sas/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/mpt3sas/mpt3sas.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/mvsas/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/mvsas/mvsas.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/qla1280.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/qla2xxx/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/qla2xxx/qla2xxx.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/qla4xxx/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/qla4xxx/qla4xxx.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/raid_class.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/scsi_transport_fc.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/scsi_transport_iscsi.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/sg.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/sr_mod.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/stex.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/sym53c8xx_2/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/scsi/sym53c8xx_2/sym53c8xx.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ssb/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/ssb/ssb.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/uio/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/uio/uio.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/usb/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/usb/class/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/usb/class/cdc-acm.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/usb/mon/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/usb/mon/usbmon.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/usb/storage/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/usb/storage/usb-storage.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/virtio/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/virtio/virtio_balloon.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/xen/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/xen/xen-evtchn.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/xen/xen-gntalloc.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/xen/xen-gntdev.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/xen/xen-pciback/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/xen/xen-pciback/xen-pciback.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/xen/xen-privcmd.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/xen/xenfs/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/drivers/xen/xenfs/xenfs.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/efivarfs/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/efivarfs/efivarfs.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/f2fs/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/f2fs/f2fs.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/fat/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/fat/fat.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/fat/msdos.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/fat/vfat.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/fuse/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/fuse/fuse.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/hfsplus/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/hfsplus/hfsplus.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/isofs/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/isofs/isofs.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/nilfs2/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/nilfs2/nilfs2.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/nls/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/nls/nls_cp437.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/nls/nls_iso8859-1.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/nls/nls_iso8859-15.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/nls/nls_utf8.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/ntfs/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/ntfs/ntfs.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/udf/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/udf/udf.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/ufs/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/fs/ufs/ufs.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/lib/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/lib/crc-ccitt.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/lib/crc-itu-t.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/mac80211/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/mac80211/mac80211.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/rfkill/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/rfkill/rfkill.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/wireless/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/wireless/cfg80211.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/wireless/lib80211.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/wireless/lib80211_crypt_ccmp.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/wireless/lib80211_crypt_tkip.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/net/wireless/lib80211_crypt_wep.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/ac97_bus.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/oss/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/oss/snd-mixer-oss.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/oss/snd-pcm-oss.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/seq/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/seq/oss/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/seq/oss/snd-seq-oss.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/seq/snd-seq-device.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/seq/snd-seq-midi-emul.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/seq/snd-seq-midi-event.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/seq/snd-seq-midi.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/seq/snd-seq-virmidi.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/seq/snd-seq.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/snd-hwdep.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/snd-pcm.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/snd-rawmidi.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/snd-timer.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/core/snd.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/hda/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/hda/snd-hda-core.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/ac97/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/ac97/snd-ac97-codec.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/ca0106/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/ca0106/snd-ca0106.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/ctxfi/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/ctxfi/snd-ctxfi.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/emu10k1/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/emu10k1/snd-emu10k1-synth.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/emu10k1/snd-emu10k1.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/emu10k1/snd-emu10k1x.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-analog.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-ca0110.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-ca0132.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-cirrus.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-cmedia.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-conexant.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-generic.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-hdmi.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-idt.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-realtek.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-si3054.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec-via.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-codec.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-controller.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/hda/snd-hda-intel.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/pci/snd-intel8x0.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/soundcore.ko
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/synth/
-drwxr-xr-x	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/synth/emux/
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/synth/emux/snd-emux-synth.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/kernel/sound/synth/snd-util-mem.ko
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.alias
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.alias.bin
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.builtin
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.builtin.bin
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.dep
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.dep.bin
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.devname
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.order
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.softdep
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.symbols
--rw-r--r--	root/root	lib/modules/4.1.34-gnu_crux/modules.symbols.bin
+drwxr-xr-x	root/root	lib/modules//
+lrwxrwxrwx	root/root	lib/modules//build -> /usr/src/linux-4.9.9
+drwxr-xr-x	root/root	lib/modules//kernel/
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/platform/
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/platform/soc_camera/
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/platform/soc_camera/soc_camera.ko
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/usb/
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/usb/gspca/
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/usb/gspca/gspca_main.ko
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/usb/uvc/
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/usb/uvc/uvcvideo.ko
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/v4l2-core/
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf-core.ko
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf2-core.ko
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf2-memops.ko
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
+-rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/misc/
+drwxr-xr-x	root/root	lib/modules//kernel/drivers/misc/eeprom/
+-rw-r--r--	root/root	lib/modules//kernel/drivers/misc/eeprom/eeprom_93cx6.ko
+drwxr-xr-x	root/root	lib/modules//kernel/fs/
+drwxr-xr-x	root/root	lib/modules//kernel/fs/ntfs/
+-rw-r--r--	root/root	lib/modules//kernel/fs/ntfs/ntfs.ko
+drwxr-xr-x	root/root	lib/modules//kernel/lib/
+-rw-r--r--	root/root	lib/modules//kernel/lib/crc-ccitt.ko
+drwxr-xr-x	root/root	lib/modules//kernel/net/
+drwxr-xr-x	root/root	lib/modules//kernel/net/netfilter/
+-rw-r--r--	root/root	lib/modules//kernel/net/netfilter/xt_LED.ko
+-rw-r--r--	root/root	lib/modules//kernel/net/netfilter/xt_physdev.ko
+-rw-r--r--	root/root	lib/modules//modules.alias
+-rw-r--r--	root/root	lib/modules//modules.alias.bin
+-rw-r--r--	root/root	lib/modules//modules.builtin
+-rw-r--r--	root/root	lib/modules//modules.builtin.bin
+-rw-r--r--	root/root	lib/modules//modules.dep
+-rw-r--r--	root/root	lib/modules//modules.dep.bin
+-rw-r--r--	root/root	lib/modules//modules.devname (EMPTY)
+-rw-r--r--	root/root	lib/modules//modules.order
+-rw-r--r--	root/root	lib/modules//modules.softdep
+-rw-r--r--	root/root	lib/modules//modules.symbols
+-rw-r--r--	root/root	lib/modules//modules.symbols.bin
+lrwxrwxrwx	root/root	lib/modules//source -> /usr/src/linux-4.9.9
 drwxr-xr-x	root/root	usr/
 drwxr-xr-x	root/root	usr/src/
--rw-r--r--	root/root	usr/src/cpu_optimizations.patch
--rw-r--r--	root/root	usr/src/linux-4.1.34.defconfig
+-rw-r--r--	root/root	usr/src/4.9.9-cpu_optimizations.patch
+-rw-r--r--	root/root	usr/src/4.9.9-libre-config
+-rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.9-201702122044.patch
+-rw-r--r--	root/root	usr/src/port-libre-cpu.patch
+-rw-r--r--	root/root	usr/src/port-libre-grsecurity.patch
+-rw-r--r--	root/root	usr/src/port-libre-make.patch
diff --git a/core/ports/linux-libre/.md5sum b/core/ports/linux-libre/.md5sum
index da26895..f3730dc 100644
--- a/core/ports/linux-libre/.md5sum
+++ b/core/ports/linux-libre/.md5sum
@@ -1,3 +1,7 @@
-1e8ecc2208e18d8152aa8df710e94f59  enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
-3b9b31399dbb8c3be1f099bb26393188  linux-4.1.34.defconfig
-578f28f0bcc61d5d033506ebb52a4540  linux-libre-4.1.34-gnu.tar.xz
+e3f300c53a40f09c49c4f4ee40529aa5  config-c9
+00bc0d70f200c2673fe7dd6f02053fa4  enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
+85155985089acdb7c77e8e30fa135c86  grsecurity-3.1-4.9.9-201702122044.patch
+063ee35b14381af654181b591fc44564  linux-libre-4.9.9-gnu.tar.xz
+bcf38b0fbf7bd83323f3202ec082b15a  port-libre-cpu.patch
+470face301667e4a88a7664f69c1ae29  port-libre-grsecurity.patch
+bb8635cc48ad0c16d03fb8418d4ffafb  port-libre-make.patch
diff --git a/core/ports/linux-libre/Pkgfile b/core/ports/linux-libre/Pkgfile
index b792163..eec03b8 100644
--- a/core/ports/linux-libre/Pkgfile
+++ b/core/ports/linux-libre/Pkgfile
@@ -4,37 +4,60 @@
 # Depends on:   grub2 dracut
 
 name=linux-libre
-version=4.1.34
-release=1
+version=4.9.9
+release=3
 source=(http://linux-libre.fsfla.org/pub/linux-libre/releases/$version-gnu/$name-$version-gnu.tar.xz \
-https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \
-linux-$version.defconfig)
+    https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \
+    https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch \
+    port-libre-grsecurity.patch \
+    port-libre-cpu.patch \
+    port-libre-make.patch \
+    config-c9)
 
 build() {
-	cd linux-$version
 
-        mkdir -p $PKG/usr/src
-        cp $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/cpu_optimizations.patch
+    mkdir -p $PKG/usr/src
 
-        cp ../linux-$version.defconfig $PKG/usr/src/
+    # /usr/src/version-libre-config
+    install -m 0644  $SRC/config-c9 $PKG/usr/src/${version}-libre-config
 
-        make distclean
+    # /usr/src/version-cpu_optimizations.patch
+    install -m 0644  $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch
 
-        cp ../linux-$version.defconfig .config
+    # /usr/src/grsecurity-version.patch
+    install -m 0644  $SRC/grsecurity-3.1-4.9.9-201702122044.patch $PKG/usr/src/
+    install -m 0644  $SRC/port-libre-grsecurity.patch $PKG/usr/src/
+    install -m 0644  $SRC/port-libre-cpu.patch $PKG/usr/src/
+    install -m 0644  $SRC/port-libre-make.patch $PKG/usr/src/
 
-        make silentoldconfig
-        # make localmodconfig
+    patch < port-libre-grsecurity.patch
+    patch < port-libre-cpu.patch
 
-        make -j $(nproc) all
-        make INSTALL_MOD_PATH=$PKG modules_install
+    cd linux-$version
 
-        install -m 0644 -D arch/x86_64/boot/bzImage $PKG/boot/vmlinuz-$version-gnu_crux
-        install -m 0644  System.map $PKG/boot/System.map-$version-gnu_crux
-        install -m 0644 .config $PKG/boot/config-$version-gnu_crux
+    patch < ${SRC}/port-libre-make.patch
 
-        rm $PKG/lib/modules/${version}-gnu_crux/source
-        rm $PKG/lib/modules/${version}-gnu_crux/build
-        #ln -sf /usr/src/linux-4.1.30-gnu_crux $PKG/lib/modules/4.1.32-gnu_crux/build
-        #ln -sf /usr/src/linux-4.1.30-gnu_crux $PKG/lib/modules/4.1.32-gnu_crux/source
+    make distclean
 
+    patch -p1 < $SRC/grsecurity-3.1-4.9.9-201702122044.patch
+    patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
+
+    cp $SRC/config-c9 .config
+
+    make silentoldconfig
+    make nconfig
+    # make localmodconfig
+
+    make LOCALVERSION= bzImage modules
+    make INSTALL_MOD_PATH=$PKG modules_install
+
+    install -m 0644 -D arch/x86_64/boot/bzImage $PKG/boot/vmlinuz-$version-grsec
+    install -m 0644  System.map $PKG/boot/System.map-$version-grsec
+    install -m 0644 .config $PKG/boot/config-$version-grsec
+
+    rm ${PKG}/lib/modules/${version}-grsec/source
+    rm ${PKG}/lib/modules/${version}-grsec/build
+
+    ln -s /usr/src/linux-${version} $PKG/lib/modules/${version}-grsec/source
+    ln -s /usr/src/linux-${version} $PKG/lib/modules/${version}-grsec/build
 }
diff --git a/core/ports/linux-libre/config-c9 b/core/ports/linux-libre/config-c9
new file mode 100644
index 0000000..d1b6598
--- /dev/null
+++ b/core/ports/linux-libre/config-c9
@@ -0,0 +1,4708 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 4.9.9-grsec Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_ARCH_MMAP_RND_BITS_MIN=27
+CONFIG_ARCH_MMAP_RND_BITS_MAX=27
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_HAVE_INTEL_TXT=y
+CONFIG_X86_64_SMP=y
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEBUG_RODATA=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+CONFIG_THREAD_INFO_IN_TASK=y
+
+#
+# General setup
+#
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+# CONFIG_KERNEL_GZIP is not set
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+CONFIG_KERNEL_XZ=y
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_FHANDLE=y
+CONFIG_AUDIT=y
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_AUDIT_WATCH=y
+CONFIG_AUDIT_TREE=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_PENDING_IRQ=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+# CONFIG_NO_HZ_FULL is not set
+# CONFIG_NO_HZ is not set
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+CONFIG_IRQ_TIME_ACCOUNTING=y
+CONFIG_BSD_PROCESS_ACCT=y
+CONFIG_BSD_PROCESS_ACCT_V3=y
+CONFIG_TASKSTATS=y
+CONFIG_TASK_DELAY_ACCT=y
+# CONFIG_TASK_XACCT is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TREE_RCU=y
+# CONFIG_RCU_EXPERT is not set
+CONFIG_SRCU=y
+# CONFIG_TASKS_RCU is not set
+CONFIG_RCU_STALL_COMMON=y
+# CONFIG_RCU_EXPEDITE_BOOT is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=18
+CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
+CONFIG_NMI_LOG_BUF_SHIFT=13
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
+CONFIG_NUMA_BALANCING=y
+CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y
+CONFIG_CGROUPS=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+# CONFIG_MEMCG_SWAP is not set
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+# CONFIG_CFS_BANDWIDTH is not set
+# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CGROUP_PIDS=y
+# CONFIG_CGROUP_FREEZER is not set
+CONFIG_CPUSETS=y
+# CONFIG_PROC_PID_CPUSET is not set
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_DEBUG is not set
+CONFIG_NAMESPACES=y
+CONFIG_UTS_NS=y
+CONFIG_IPC_NS=y
+CONFIG_USER_NS=y
+CONFIG_PID_NS=y
+CONFIG_NET_NS=y
+CONFIG_SCHED_AUTOGROUP=y
+# CONFIG_SYSFS_DEPRECATED is not set
+CONFIG_RELAY=y
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_INITRAMFS_SOURCE=""
+CONFIG_RD_GZIP=y
+CONFIG_RD_BZIP2=y
+CONFIG_RD_LZMA=y
+CONFIG_RD_XZ=y
+CONFIG_RD_LZO=y
+CONFIG_RD_LZ4=y
+CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
+# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_HAVE_UID16=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+CONFIG_EXPERT=y
+CONFIG_UID16=y
+CONFIG_MULTIUSER=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y
+CONFIG_KALLSYMS_BASE_RELATIVE=y
+CONFIG_PRINTK=y
+CONFIG_PRINTK_NMI=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_MEMBARRIER=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_SLUB_DEBUG=y
+# CONFIG_COMPAT_BRK is not set
+# CONFIG_SLAB is not set
+CONFIG_SLUB=y
+# CONFIG_SLOB is not set
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLUB_CPU_PARTIAL=y
+CONFIG_SYSTEM_DATA_VERIFICATION=y
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+CONFIG_KPROBES=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_OPTPROBES=y
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_NMI=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_CLK=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
+CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
+CONFIG_HAVE_EXIT_THREAD=y
+CONFIG_ARCH_MMAP_RND_BITS=27
+CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
+CONFIG_HAVE_COPY_THREAD_TLS=y
+CONFIG_HAVE_STACK_VALIDATION=y
+# CONFIG_HAVE_ARCH_HASH is not set
+# CONFIG_ISA_BUS_API is not set
+CONFIG_OLD_SIGSUSPEND3=y
+CONFIG_COMPAT_OLD_SIGACTION=y
+# CONFIG_CPU_NO_EFFICIENT_FFS is not set
+CONFIG_HAVE_ARCH_VMAP_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+CONFIG_MODULES=y
+# CONFIG_MODULE_FORCE_LOAD is not set
+CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULE_FORCE_UNLOAD=y
+CONFIG_MODVERSIONS=y
+CONFIG_MODULE_SRCVERSION_ALL=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_SHA1 is not set
+# CONFIG_MODULE_SIG_SHA224 is not set
+CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA384 is not set
+# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_HASH="sha256"
+# CONFIG_MODULE_COMPRESS is not set
+# CONFIG_TRIM_UNUSED_KSYMS is not set
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLOCK=y
+CONFIG_BLK_DEV_BSG=y
+CONFIG_BLK_DEV_BSGLIB=y
+CONFIG_BLK_DEV_INTEGRITY=y
+# CONFIG_BLK_DEV_THROTTLING is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+CONFIG_PARTITION_ADVANCED=y
+# CONFIG_ACORN_PARTITION is not set
+# CONFIG_AIX_PARTITION is not set
+# CONFIG_OSF_PARTITION is not set
+# CONFIG_AMIGA_PARTITION is not set
+# CONFIG_ATARI_PARTITION is not set
+# CONFIG_MAC_PARTITION is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_BSD_DISKLABEL=y
+CONFIG_MINIX_SUBPARTITION=y
+# CONFIG_SOLARIS_X86_PARTITION is not set
+# CONFIG_UNIXWARE_DISKLABEL is not set
+# CONFIG_LDM_PARTITION is not set
+# CONFIG_SGI_PARTITION is not set
+# CONFIG_ULTRIX_PARTITION is not set
+# CONFIG_SUN_PARTITION is not set
+# CONFIG_KARMA_PARTITION is not set
+CONFIG_EFI_PARTITION=y
+# CONFIG_SYSV68_PARTITION is not set
+# CONFIG_CMDLINE_PARTITION is not set
+CONFIG_BLOCK_COMPAT=y
+CONFIG_BLK_MQ_PCI=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+CONFIG_CFQ_GROUP_IOSCHED=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_PREEMPT_NOTIFIERS=y
+CONFIG_ASN1=y
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_MUTEX_SPIN_ON_OWNER=y
+CONFIG_RWSEM_SPIN_ON_OWNER=y
+CONFIG_LOCK_SPIN_ON_OWNER=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_QUEUED_RWLOCKS=y
+# CONFIG_FREEZER is not set
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+CONFIG_SMP=y
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_FAST_FEATURE_TESTS=y
+CONFIG_X86_MPPARSE=y
+# CONFIG_GOLDFISH is not set
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+CONFIG_X86_INTEL_LPSS=y
+# CONFIG_X86_AMD_PLATFORM_DEVICE is not set
+CONFIG_IOSF_MBI=y
+CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MK8 is not set
+# CONFIG_MK8SSE3 is not set
+# CONFIG_MK10 is not set
+# CONFIG_MBARCELONA is not set
+# CONFIG_MBOBCAT is not set
+# CONFIG_MJAGUAR is not set
+# CONFIG_MBULLDOZER is not set
+# CONFIG_MPILEDRIVER is not set
+# CONFIG_MSTEAMROLLER is not set
+# CONFIG_MEXCAVATOR is not set
+# CONFIG_MZEN is not set
+# CONFIG_MPSC is not set
+# CONFIG_MATOM is not set
+# CONFIG_MCORE2 is not set
+# CONFIG_MNEHALEM is not set
+# CONFIG_MWESTMERE is not set
+# CONFIG_MSILVERMONT is not set
+# CONFIG_MSANDYBRIDGE is not set
+# CONFIG_MIVYBRIDGE is not set
+CONFIG_MHASWELL=y
+# CONFIG_MBROADWELL is not set
+# CONFIG_MSKYLAKE is not set
+# CONFIG_GENERIC_CPU is not set
+# CONFIG_MNATIVE is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_PROCESSOR_SELECT=y
+CONFIG_CPU_SUP_INTEL=y
+# CONFIG_CPU_SUP_AMD is not set
+# CONFIG_CPU_SUP_CENTAUR is not set
+CONFIG_HPET_TIMER=y
+CONFIG_HPET_EMULATE_RTC=y
+CONFIG_DMI=y
+CONFIG_CALGARY_IOMMU=y
+CONFIG_CALGARY_IOMMU_ENABLED_BY_DEFAULT=y
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+# CONFIG_MAXSMP is not set
+CONFIG_NR_CPUS=4
+# CONFIG_SCHED_SMT is not set
+CONFIG_SCHED_MC=y
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
+CONFIG_X86_MCE=y
+CONFIG_X86_MCE_INTEL=y
+# CONFIG_X86_MCE_AMD is not set
+CONFIG_X86_MCE_THRESHOLD=y
+# CONFIG_X86_MCE_INJECT is not set
+CONFIG_X86_THERMAL_VECTOR=y
+
+#
+# Performance monitoring
+#
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_PERF_EVENTS_INTEL_RAPL=y
+CONFIG_PERF_EVENTS_INTEL_CSTATE=y
+# CONFIG_VM86 is not set
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+CONFIG_X86_MSR=y
+CONFIG_X86_CPUID=y
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_NUMA=y
+# CONFIG_AMD_NUMA is not set
+CONFIG_X86_64_ACPI_NUMA=y
+CONFIG_NODES_SPAN_OTHER_NODES=y
+# CONFIG_NUMA_EMU is not set
+CONFIG_NODES_SHIFT=6
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_NEED_MULTIPLE_NODES=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+# CONFIG_MOVABLE_NODE is not set
+# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set
+# CONFIG_MEMORY_HOTPLUG is not set
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+CONFIG_BALLOON_COMPACTION=y
+CONFIG_COMPACTION=y
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+# CONFIG_BOUNCE is not set
+CONFIG_VIRT_TO_BUS=y
+CONFIG_MMU_NOTIFIER=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
+CONFIG_MEMORY_FAILURE=y
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CLEANCACHE=y
+CONFIG_FRONTSWAP=y
+# CONFIG_CMA is not set
+# CONFIG_ZSWAP is not set
+CONFIG_ZPOOL=y
+CONFIG_ZBUD=y
+CONFIG_Z3FOLD=y
+CONFIG_ZSMALLOC=y
+# CONFIG_PGTABLE_MAPPING is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
+# CONFIG_IDLE_PAGE_TRACKING is not set
+CONFIG_FRAME_VECTOR=y
+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
+CONFIG_ARCH_HAS_PKEYS=y
+# CONFIG_X86_PMEM_LEGACY is not set
+CONFIG_X86_CHECK_BIOS_CORRUPTION=y
+CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+# CONFIG_MTRR_SANITIZER is not set
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+CONFIG_X86_INTEL_MPX=y
+CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+CONFIG_EFI=y
+# CONFIG_EFI_STUB is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+# CONFIG_HZ_250 is not set
+CONFIG_HZ_300=y
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=300
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC_FILE is not set
+CONFIG_CRASH_DUMP=y
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_HOTPLUG_CPU is not set
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_CMDLINE_BOOL is not set
+# CONFIG_MODIFY_LDT_SYSCALL is not set
+# CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_USE_PERCPU_NUMA_NODE_ID=y
+
+#
+# Power management and ACPI options
+#
+# CONFIG_SUSPEND is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_PM_CLK=y
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+# CONFIG_ACPI_DEBUGGER is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_VIDEO=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+CONFIG_ACPI_NUMA=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
+CONFIG_ACPI_TABLE_UPGRADE=y
+# CONFIG_ACPI_DEBUG is not set
+CONFIG_ACPI_PCI_SLOT=y
+CONFIG_X86_PM_TIMER=y
+CONFIG_ACPI_CONTAINER=y
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+CONFIG_ACPI_SBS=y
+CONFIG_ACPI_HED=y
+CONFIG_ACPI_BGRT=y
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+# CONFIG_ACPI_NFIT is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+CONFIG_ACPI_APEI=y
+CONFIG_ACPI_APEI_GHES=y
+CONFIG_ACPI_APEI_PCIEAER=y
+# CONFIG_ACPI_APEI_MEMORY_FAILURE is not set
+# CONFIG_ACPI_APEI_ERST_DEBUG is not set
+# CONFIG_DPTF_POWER is not set
+# CONFIG_ACPI_EXTLOG is not set
+# CONFIG_PMIC_OPREGION is not set
+CONFIG_ACPI_CONFIGFS=y
+CONFIG_SFI=y
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCI_CNB20LE_QUIRK is not set
+CONFIG_PCIEPORTBUS=y
+CONFIG_PCIEAER=y
+# CONFIG_PCIE_ECRC is not set
+# CONFIG_PCIEAER_INJECT is not set
+CONFIG_PCIEASPM=y
+# CONFIG_PCIEASPM_DEBUG is not set
+CONFIG_PCIEASPM_DEFAULT=y
+# CONFIG_PCIEASPM_POWERSAVE is not set
+# CONFIG_PCIEASPM_PERFORMANCE is not set
+CONFIG_PCIE_PME=y
+# CONFIG_PCIE_DPC is not set
+# CONFIG_PCIE_PTM is not set
+CONFIG_PCI_BUS_ADDR_T_64BIT=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+CONFIG_PCI_ATS=y
+CONFIG_PCI_IOV=y
+CONFIG_PCI_PRI=y
+CONFIG_PCI_PASID=y
+CONFIG_PCI_LABEL=y
+# CONFIG_HOTPLUG_PCI is not set
+
+#
+# PCI host controller drivers
+#
+CONFIG_PCIE_DW_PLAT=y
+CONFIG_PCIE_DW=y
+# CONFIG_VMD is not set
+# CONFIG_ISA_BUS is not set
+CONFIG_ISA_DMA_API=y
+# CONFIG_PCCARD is not set
+# CONFIG_RAPIDIO is not set
+CONFIG_X86_SYSFB=y
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_COMPAT_BINFMT_ELF=y
+CONFIG_ELFCORE=y
+CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+CONFIG_IA32_EMULATION=y
+CONFIG_IA32_AOUT=y
+CONFIG_X86_X32=y
+CONFIG_COMPAT=y
+CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
+CONFIG_SYSVIPC_COMPAT=y
+CONFIG_KEYS_COMPAT=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+CONFIG_COMPAT_NETLINK_MESSAGES=y
+CONFIG_NET_INGRESS=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+CONFIG_PACKET_DIAG=y
+CONFIG_UNIX=y
+CONFIG_UNIX_DIAG=y
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+# CONFIG_XFRM_MIGRATE is not set
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+# CONFIG_NET_KEY_MIGRATE is not set
+CONFIG_INET=y
+CONFIG_IP_MULTICAST=y
+# CONFIG_IP_ADVANCED_ROUTER is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+CONFIG_NET_IPIP=y
+CONFIG_NET_IPGRE_DEMUX=y
+CONFIG_NET_IP_TUNNEL=y
+CONFIG_NET_IPGRE=y
+# CONFIG_NET_IPGRE_BROADCAST is not set
+# CONFIG_IP_MROUTE is not set
+CONFIG_SYN_COOKIES=y
+CONFIG_NET_IPVTI=y
+CONFIG_NET_UDP_TUNNEL=y
+CONFIG_NET_FOU=y
+CONFIG_NET_FOU_IP_TUNNELS=y
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+CONFIG_INET_UDP_DIAG=y
+CONFIG_INET_DIAG_DESTROY=y
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+CONFIG_TCP_MD5SIG=y
+# CONFIG_IPV6 is not set
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NET_PTP_CLASSIFY=y
+CONFIG_NETWORK_PHY_TIMESTAMPING=y
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_BRIDGE_NETFILTER=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_NETLINK_ACCT=y
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NF_CONNTRACK_ZONES=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+CONFIG_NF_CONNTRACK_TIMEOUT=y
+CONFIG_NF_CONNTRACK_TIMESTAMP=y
+CONFIG_NF_CONNTRACK_LABELS=y
+CONFIG_NF_CT_PROTO_DCCP=y
+CONFIG_NF_CT_PROTO_GRE=y
+CONFIG_NF_CT_PROTO_SCTP=y
+CONFIG_NF_CT_PROTO_UDPLITE=y
+CONFIG_NF_CONNTRACK_AMANDA=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_H323=y
+CONFIG_NF_CONNTRACK_IRC=y
+CONFIG_NF_CONNTRACK_BROADCAST=y
+CONFIG_NF_CONNTRACK_NETBIOS_NS=y
+CONFIG_NF_CONNTRACK_SNMP=y
+CONFIG_NF_CONNTRACK_PPTP=y
+CONFIG_NF_CONNTRACK_SANE=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CONNTRACK_TFTP=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NF_CT_NETLINK_TIMEOUT=y
+CONFIG_NF_CT_NETLINK_HELPER=y
+CONFIG_NETFILTER_NETLINK_GLUE_CT=y
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_DCCP=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+CONFIG_NF_NAT_PROTO_SCTP=y
+CONFIG_NF_NAT_AMANDA=y
+CONFIG_NF_NAT_FTP=y
+CONFIG_NF_NAT_IRC=y
+CONFIG_NF_NAT_SIP=y
+CONFIG_NF_NAT_TFTP=y
+CONFIG_NF_NAT_REDIRECT=y
+CONFIG_NETFILTER_SYNPROXY=y
+CONFIG_NF_TABLES=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NFT_EXTHDR=y
+CONFIG_NFT_META=y
+CONFIG_NFT_NUMGEN=y
+CONFIG_NFT_CT=y
+CONFIG_NFT_SET_RBTREE=y
+CONFIG_NFT_SET_HASH=y
+CONFIG_NFT_COUNTER=y
+CONFIG_NFT_LOG=y
+CONFIG_NFT_LIMIT=y
+CONFIG_NFT_MASQ=y
+CONFIG_NFT_REDIR=y
+CONFIG_NFT_NAT=y
+CONFIG_NFT_QUEUE=y
+CONFIG_NFT_QUOTA=y
+CONFIG_NFT_REJECT=y
+# CONFIG_NFT_COMPAT is not set
+CONFIG_NFT_HASH=y
+CONFIG_NF_DUP_NETDEV=y
+CONFIG_NFT_DUP_NETDEV=y
+CONFIG_NFT_FWD_NETDEV=y
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+CONFIG_NETFILTER_XT_TARGET_HMARK=y
+CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y
+CONFIG_NETFILTER_XT_TARGET_LED=m
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+CONFIG_NETFILTER_XT_TARGET_RATEEST=y
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+CONFIG_NETFILTER_XT_TARGET_TEE=y
+CONFIG_NETFILTER_XT_TARGET_TPROXY=y
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_BPF=y
+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_CPU=y
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+# CONFIG_NETFILTER_XT_MATCH_GRADM is not set
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+CONFIG_NETFILTER_XT_MATCH_IPCOMP=y
+CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
+CONFIG_NETFILTER_XT_MATCH_IPVS=y
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+CONFIG_NETFILTER_XT_MATCH_NFACCT=y
+CONFIG_NETFILTER_XT_MATCH_OSF=y
+CONFIG_NETFILTER_XT_MATCH_OWNER=y
+# CONFIG_NETFILTER_XT_MATCH_POLICY is not set
+CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+CONFIG_NETFILTER_XT_MATCH_RATEEST=y
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+CONFIG_NETFILTER_XT_MATCH_RECENT=y
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_SOCKET=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_TIME=y
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPMARK=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_MAC=y
+CONFIG_IP_SET_HASH_NETPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETNET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+CONFIG_IP_SET_HASH_NETIFACE=y
+CONFIG_IP_SET_LIST_SET=y
+CONFIG_IP_VS=y
+# CONFIG_IP_VS_DEBUG is not set
+CONFIG_IP_VS_TAB_BITS=12
+
+#
+# IPVS transport protocol load balancing support
+#
+CONFIG_IP_VS_PROTO_TCP=y
+CONFIG_IP_VS_PROTO_UDP=y
+CONFIG_IP_VS_PROTO_AH_ESP=y
+CONFIG_IP_VS_PROTO_ESP=y
+CONFIG_IP_VS_PROTO_AH=y
+CONFIG_IP_VS_PROTO_SCTP=y
+
+#
+# IPVS scheduler
+#
+# CONFIG_IP_VS_RR is not set
+# CONFIG_IP_VS_WRR is not set
+# CONFIG_IP_VS_LC is not set
+# CONFIG_IP_VS_WLC is not set
+# CONFIG_IP_VS_FO is not set
+# CONFIG_IP_VS_OVF is not set
+# CONFIG_IP_VS_LBLC is not set
+# CONFIG_IP_VS_LBLCR is not set
+# CONFIG_IP_VS_DH is not set
+# CONFIG_IP_VS_SH is not set
+# CONFIG_IP_VS_SED is not set
+# CONFIG_IP_VS_NQ is not set
+
+#
+# IPVS SH scheduler
+#
+CONFIG_IP_VS_SH_TAB_BITS=8
+
+#
+# IPVS application helper
+#
+# CONFIG_IP_VS_FTP is not set
+CONFIG_IP_VS_NFCT=y
+CONFIG_IP_VS_PE_SIP=y
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NFT_CHAIN_ROUTE_IPV4=y
+CONFIG_NFT_REJECT_IPV4=y
+CONFIG_NFT_DUP_IPV4=y
+CONFIG_NF_TABLES_ARP=y
+CONFIG_NF_DUP_IPV4=y
+CONFIG_NF_LOG_ARP=y
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NFT_CHAIN_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+CONFIG_NFT_MASQ_IPV4=y
+CONFIG_NFT_REDIR_IPV4=y
+CONFIG_NF_NAT_SNMP_BASIC=y
+CONFIG_NF_NAT_PROTO_GRE=y
+CONFIG_NF_NAT_PPTP=y
+CONFIG_NF_NAT_H323=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+CONFIG_IP_NF_MATCH_RPFILTER=y
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_SYNPROXY=y
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+CONFIG_NF_TABLES_BRIDGE=y
+CONFIG_NFT_BRIDGE_META=y
+CONFIG_NF_LOG_BRIDGE=y
+CONFIG_BRIDGE_NF_EBTABLES=y
+CONFIG_BRIDGE_EBT_BROUTE=y
+CONFIG_BRIDGE_EBT_T_FILTER=y
+CONFIG_BRIDGE_EBT_T_NAT=y
+CONFIG_BRIDGE_EBT_802_3=y
+CONFIG_BRIDGE_EBT_AMONG=y
+CONFIG_BRIDGE_EBT_ARP=y
+CONFIG_BRIDGE_EBT_IP=y
+CONFIG_BRIDGE_EBT_LIMIT=y
+CONFIG_BRIDGE_EBT_MARK=y
+CONFIG_BRIDGE_EBT_PKTTYPE=y
+CONFIG_BRIDGE_EBT_STP=y
+CONFIG_BRIDGE_EBT_VLAN=y
+CONFIG_BRIDGE_EBT_ARPREPLY=y
+CONFIG_BRIDGE_EBT_DNAT=y
+CONFIG_BRIDGE_EBT_MARK_T=y
+CONFIG_BRIDGE_EBT_REDIRECT=y
+CONFIG_BRIDGE_EBT_SNAT=y
+CONFIG_BRIDGE_EBT_LOG=y
+CONFIG_BRIDGE_EBT_NFLOG=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+# CONFIG_L2TP is not set
+CONFIG_STP=y
+CONFIG_GARP=y
+CONFIG_MRP=y
+CONFIG_BRIDGE=y
+CONFIG_BRIDGE_IGMP_SNOOPING=y
+CONFIG_BRIDGE_VLAN_FILTERING=y
+CONFIG_HAVE_NET_DSA=y
+CONFIG_VLAN_8021Q=y
+CONFIG_VLAN_8021Q_GVRP=y
+CONFIG_VLAN_8021Q_MVRP=y
+# CONFIG_DECNET is not set
+CONFIG_LLC=y
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+CONFIG_NET_SCHED=y
+
+#
+# Queueing/Scheduling
+#
+# CONFIG_NET_SCH_CBQ is not set
+# CONFIG_NET_SCH_HTB is not set
+# CONFIG_NET_SCH_HFSC is not set
+# CONFIG_NET_SCH_PRIO is not set
+# CONFIG_NET_SCH_MULTIQ is not set
+# CONFIG_NET_SCH_RED is not set
+# CONFIG_NET_SCH_SFB is not set
+# CONFIG_NET_SCH_SFQ is not set
+# CONFIG_NET_SCH_TEQL is not set
+# CONFIG_NET_SCH_TBF is not set
+# CONFIG_NET_SCH_GRED is not set
+# CONFIG_NET_SCH_DSMARK is not set
+# CONFIG_NET_SCH_NETEM is not set
+# CONFIG_NET_SCH_DRR is not set
+# CONFIG_NET_SCH_MQPRIO is not set
+# CONFIG_NET_SCH_CHOKE is not set
+# CONFIG_NET_SCH_QFQ is not set
+# CONFIG_NET_SCH_CODEL is not set
+# CONFIG_NET_SCH_FQ_CODEL is not set
+# CONFIG_NET_SCH_FQ is not set
+# CONFIG_NET_SCH_HHF is not set
+# CONFIG_NET_SCH_PIE is not set
+# CONFIG_NET_SCH_PLUG is not set
+
+#
+# Classification
+#
+# CONFIG_NET_CLS_BASIC is not set
+# CONFIG_NET_CLS_TCINDEX is not set
+# CONFIG_NET_CLS_ROUTE4 is not set
+# CONFIG_NET_CLS_FW is not set
+# CONFIG_NET_CLS_U32 is not set
+# CONFIG_NET_CLS_RSVP is not set
+# CONFIG_NET_CLS_RSVP6 is not set
+# CONFIG_NET_CLS_FLOW is not set
+# CONFIG_NET_CLS_CGROUP is not set
+# CONFIG_NET_CLS_BPF is not set
+# CONFIG_NET_CLS_FLOWER is not set
+# CONFIG_NET_CLS_MATCHALL is not set
+# CONFIG_NET_EMATCH is not set
+# CONFIG_NET_CLS_ACT is not set
+CONFIG_NET_SCH_FIFO=y
+# CONFIG_DCB is not set
+# CONFIG_DNS_RESOLVER is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+CONFIG_VSOCKETS=y
+CONFIG_VIRTIO_VSOCKETS=y
+CONFIG_VIRTIO_VSOCKETS_COMMON=y
+CONFIG_NETLINK_DIAG=y
+# CONFIG_MPLS is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+# CONFIG_NET_L3_MASTER_DEV is not set
+# CONFIG_NET_NCSI is not set
+CONFIG_RPS=y
+CONFIG_RFS_ACCEL=y
+CONFIG_XPS=y
+# CONFIG_SOCK_CGROUP_DATA is not set
+# CONFIG_CGROUP_NET_PRIO is not set
+# CONFIG_CGROUP_NET_CLASSID is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+# CONFIG_BPF_JIT is not set
+CONFIG_NET_FLOW_LIMIT=y
+
+#
+# Network testing
+#
+CONFIG_NET_PKTGEN=y
+# CONFIG_NET_TCPPROBE is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+CONFIG_BT=y
+CONFIG_BT_BREDR=y
+# CONFIG_BT_RFCOMM is not set
+# CONFIG_BT_BNEP is not set
+# CONFIG_BT_HIDP is not set
+CONFIG_BT_HS=y
+CONFIG_BT_LE=y
+# CONFIG_BT_LEDS is not set
+# CONFIG_BT_SELFTEST is not set
+
+#
+# Bluetooth device drivers
+#
+# CONFIG_BT_HCIBTUSB is not set
+# CONFIG_BT_HCIBTSDIO is not set
+# CONFIG_BT_HCIUART is not set
+# CONFIG_BT_HCIBCM203X is not set
+# CONFIG_BT_HCIBFUSB is not set
+# CONFIG_BT_HCIVHCI is not set
+# CONFIG_BT_MRVL is not set
+# CONFIG_AF_RXRPC is not set
+# CONFIG_AF_KCM is not set
+# CONFIG_STREAM_PARSER is not set
+CONFIG_WIRELESS=y
+CONFIG_WEXT_CORE=y
+CONFIG_WEXT_PROC=y
+CONFIG_CFG80211=y
+CONFIG_NL80211_TESTMODE=y
+# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
+# CONFIG_CFG80211_CERTIFICATION_ONUS is not set
+CONFIG_CFG80211_DEFAULT_PS=y
+# CONFIG_CFG80211_INTERNAL_REGDB is not set
+CONFIG_CFG80211_CRDA_SUPPORT=y
+CONFIG_CFG80211_WEXT=y
+# CONFIG_LIB80211 is not set
+CONFIG_MAC80211=y
+CONFIG_MAC80211_HAS_RC=y
+CONFIG_MAC80211_RC_MINSTREL=y
+CONFIG_MAC80211_RC_MINSTREL_HT=y
+# CONFIG_MAC80211_RC_MINSTREL_VHT is not set
+CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
+CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
+# CONFIG_MAC80211_MESH is not set
+CONFIG_MAC80211_LEDS=y
+# CONFIG_MAC80211_MESSAGE_TRACING is not set
+# CONFIG_MAC80211_DEBUG_MENU is not set
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+# CONFIG_WIMAX is not set
+CONFIG_RFKILL=y
+CONFIG_RFKILL_LEDS=y
+# CONFIG_RFKILL_INPUT is not set
+# CONFIG_RFKILL_GPIO is not set
+# CONFIG_NET_9P is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+# CONFIG_LWTUNNEL is not set
+CONFIG_DST_CACHE=y
+# CONFIG_NET_DEVLINK is not set
+CONFIG_MAY_USE_DEVLINK=y
+CONFIG_HAVE_EBPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+# CONFIG_UEVENT_HELPER is not set
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+# CONFIG_FIRMWARE_IN_KERNEL is not set
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_WANT_DEV_COREDUMP=y
+CONFIG_ALLOW_DEV_COREDUMP=y
+CONFIG_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_REGMAP=y
+CONFIG_REGMAP_I2C=y
+CONFIG_REGMAP_SPI=y
+CONFIG_DMA_SHARED_BUFFER=y
+# CONFIG_FENCE_TRACE is not set
+
+#
+# Bus devices
+#
+CONFIG_CONNECTOR=y
+CONFIG_PROC_EVENTS=y
+# CONFIG_MTD is not set
+CONFIG_DTC=y
+CONFIG_OF=y
+CONFIG_OF_UNITTEST=y
+CONFIG_OF_FLATTREE=y
+CONFIG_OF_EARLY_FLATTREE=y
+CONFIG_OF_DYNAMIC=y
+CONFIG_OF_ADDRESS=y
+CONFIG_OF_ADDRESS_PCI=y
+CONFIG_OF_IRQ=y
+CONFIG_OF_NET=y
+CONFIG_OF_MDIO=y
+CONFIG_OF_PCI=y
+CONFIG_OF_PCI_IRQ=y
+CONFIG_OF_RESOLVE=y
+CONFIG_OF_OVERLAY=y
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+# CONFIG_PNP_DEBUG_MESSAGES is not set
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_ZRAM is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+CONFIG_BLK_DEV_CRYPTOLOOP=y
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+CONFIG_BLK_DEV_RAM=y
+CONFIG_BLK_DEV_RAM_COUNT=16
+CONFIG_BLK_DEV_RAM_SIZE=4096
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+CONFIG_NVME_CORE=y
+CONFIG_BLK_DEV_NVME=y
+# CONFIG_BLK_DEV_NVME_SCSI is not set
+# CONFIG_NVME_TARGET is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_AD525X_DPOT is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ICS932S401 is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_APDS9802ALS is not set
+# CONFIG_ISL29003 is not set
+# CONFIG_ISL29020 is not set
+# CONFIG_SENSORS_TSL2550 is not set
+# CONFIG_SENSORS_BH1770 is not set
+# CONFIG_SENSORS_APDS990X is not set
+# CONFIG_HMC6352 is not set
+# CONFIG_DS1682 is not set
+# CONFIG_TI_DAC7512 is not set
+# CONFIG_USB_SWITCH_FSA9480 is not set
+# CONFIG_LATTICE_ECP3_CONFIG is not set
+CONFIG_SRAM=y
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_AT24 is not set
+# CONFIG_EEPROM_AT25 is not set
+# CONFIG_EEPROM_LEGACY is not set
+# CONFIG_EEPROM_MAX6875 is not set
+CONFIG_EEPROM_93CX6=m
+# CONFIG_EEPROM_93XX46 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+# CONFIG_TI_ST is not set
+# CONFIG_SENSORS_LIS3_I2C is not set
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_ALTERA_STAPL is not set
+CONFIG_INTEL_MEI=y
+CONFIG_INTEL_MEI_ME=y
+CONFIG_INTEL_MEI_TXE=y
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+CONFIG_INTEL_MIC_BUS=y
+
+#
+# SCIF Bus Driver
+#
+# CONFIG_SCIF_BUS is not set
+
+#
+# VOP Bus Driver
+#
+# CONFIG_VOP_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+
+#
+# SCIF Driver
+#
+
+#
+# Intel MIC Coprocessor State Management (COSM) Drivers
+#
+
+#
+# VOP Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+# CONFIG_CXL_AFU_DRIVER_OPS is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+CONFIG_RAID_ATTRS=y
+CONFIG_SCSI=y
+CONFIG_SCSI_DMA=y
+CONFIG_SCSI_NETLINK=y
+# CONFIG_SCSI_MQ_DEFAULT is not set
+CONFIG_SCSI_PROC_FS=y
+
+#
+# SCSI support type (disk, tape, CD-ROM)
+#
+CONFIG_BLK_DEV_SD=y
+# CONFIG_CHR_DEV_ST is not set
+# CONFIG_CHR_DEV_OSST is not set
+CONFIG_BLK_DEV_SR=y
+# CONFIG_BLK_DEV_SR_VENDOR is not set
+CONFIG_CHR_DEV_SG=y
+# CONFIG_CHR_DEV_SCH is not set
+# CONFIG_SCSI_CONSTANTS is not set
+# CONFIG_SCSI_LOGGING is not set
+# CONFIG_SCSI_SCAN_ASYNC is not set
+
+#
+# SCSI Transports
+#
+CONFIG_SCSI_SPI_ATTRS=y
+CONFIG_SCSI_FC_ATTRS=y
+CONFIG_SCSI_ISCSI_ATTRS=y
+CONFIG_SCSI_SAS_ATTRS=y
+CONFIG_SCSI_SAS_LIBSAS=y
+# CONFIG_SCSI_SAS_ATA is not set
+CONFIG_SCSI_SAS_HOST_SMP=y
+# CONFIG_SCSI_SRP_ATTRS is not set
+CONFIG_SCSI_LOWLEVEL=y
+# CONFIG_ISCSI_TCP is not set
+CONFIG_ISCSI_BOOT_SYSFS=y
+# CONFIG_SCSI_CXGB3_ISCSI is not set
+# CONFIG_SCSI_CXGB4_ISCSI is not set
+# CONFIG_SCSI_BNX2_ISCSI is not set
+# CONFIG_BE2ISCSI is not set
+# CONFIG_BLK_DEV_3W_XXXX_RAID is not set
+# CONFIG_SCSI_HPSA is not set
+# CONFIG_SCSI_3W_9XXX is not set
+# CONFIG_SCSI_3W_SAS is not set
+# CONFIG_SCSI_ACARD is not set
+# CONFIG_SCSI_AACRAID is not set
+# CONFIG_SCSI_AIC7XXX is not set
+# CONFIG_SCSI_AIC79XX is not set
+# CONFIG_SCSI_AIC94XX is not set
+# CONFIG_SCSI_MVSAS is not set
+# CONFIG_SCSI_MVUMI is not set
+# CONFIG_SCSI_DPT_I2O is not set
+# CONFIG_SCSI_ADVANSYS is not set
+# CONFIG_SCSI_ARCMSR is not set
+# CONFIG_SCSI_ESAS2R is not set
+# CONFIG_MEGARAID_NEWGEN is not set
+# CONFIG_MEGARAID_LEGACY is not set
+# CONFIG_MEGARAID_SAS is not set
+# CONFIG_SCSI_MPT3SAS is not set
+# CONFIG_SCSI_MPT2SAS is not set
+# CONFIG_SCSI_SMARTPQI is not set
+# CONFIG_SCSI_UFSHCD is not set
+# CONFIG_SCSI_HPTIOP is not set
+# CONFIG_SCSI_BUSLOGIC is not set
+# CONFIG_VMWARE_PVSCSI is not set
+# CONFIG_LIBFC is not set
+# CONFIG_SCSI_SNIC is not set
+# CONFIG_SCSI_DMX3191D is not set
+CONFIG_SCSI_EATA=y
+# CONFIG_SCSI_EATA_TAGGED_QUEUE is not set
+# CONFIG_SCSI_EATA_LINKED_COMMANDS is not set
+CONFIG_SCSI_EATA_MAX_TAGS=16
+# CONFIG_SCSI_FUTURE_DOMAIN is not set
+# CONFIG_SCSI_GDTH is not set
+# CONFIG_SCSI_ISCI is not set
+# CONFIG_SCSI_IPS is not set
+# CONFIG_SCSI_INITIO is not set
+# CONFIG_SCSI_INIA100 is not set
+# CONFIG_SCSI_STEX is not set
+# CONFIG_SCSI_SYM53C8XX_2 is not set
+# CONFIG_SCSI_IPR is not set
+# CONFIG_SCSI_QLOGIC_1280 is not set
+# CONFIG_SCSI_QLA_FC is not set
+# CONFIG_SCSI_QLA_ISCSI is not set
+# CONFIG_SCSI_LPFC is not set
+# CONFIG_SCSI_DC395x is not set
+# CONFIG_SCSI_AM53C974 is not set
+# CONFIG_SCSI_WD719X is not set
+# CONFIG_SCSI_DEBUG is not set
+# CONFIG_SCSI_PMCRAID is not set
+# CONFIG_SCSI_PM8001 is not set
+# CONFIG_SCSI_BFA_FC is not set
+CONFIG_SCSI_VIRTIO=y
+# CONFIG_SCSI_CHELSIO_FCOE is not set
+# CONFIG_SCSI_DH is not set
+# CONFIG_SCSI_OSD_INITIATOR is not set
+CONFIG_ATA=y
+# CONFIG_ATA_NONSTANDARD is not set
+CONFIG_ATA_VERBOSE_ERROR=y
+CONFIG_ATA_ACPI=y
+# CONFIG_SATA_ZPODD is not set
+# CONFIG_SATA_PMP is not set
+
+#
+# Controllers with non-SFF native interface
+#
+CONFIG_SATA_AHCI=y
+CONFIG_SATA_AHCI_PLATFORM=y
+# CONFIG_AHCI_CEVA is not set
+# CONFIG_AHCI_QORIQ is not set
+# CONFIG_SATA_INIC162X is not set
+# CONFIG_SATA_ACARD_AHCI is not set
+# CONFIG_SATA_SIL24 is not set
+# CONFIG_ATA_SFF is not set
+CONFIG_MD=y
+CONFIG_BLK_DEV_MD=y
+CONFIG_MD_AUTODETECT=y
+# CONFIG_MD_LINEAR is not set
+CONFIG_MD_RAID0=y
+CONFIG_MD_RAID1=y
+CONFIG_MD_RAID10=y
+CONFIG_MD_RAID456=y
+CONFIG_MD_MULTIPATH=y
+# CONFIG_MD_FAULTY is not set
+# CONFIG_BCACHE is not set
+CONFIG_BLK_DEV_DM_BUILTIN=y
+CONFIG_BLK_DEV_DM=y
+# CONFIG_DM_MQ_DEFAULT is not set
+# CONFIG_DM_DEBUG is not set
+CONFIG_DM_BUFIO=y
+# CONFIG_DM_DEBUG_BLOCK_STACK_TRACING is not set
+CONFIG_DM_BIO_PRISON=y
+CONFIG_DM_PERSISTENT_DATA=y
+CONFIG_DM_CRYPT=y
+CONFIG_DM_SNAPSHOT=y
+CONFIG_DM_THIN_PROVISIONING=y
+# CONFIG_DM_CACHE is not set
+# CONFIG_DM_ERA is not set
+CONFIG_DM_MIRROR=y
+# CONFIG_DM_LOG_USERSPACE is not set
+CONFIG_DM_RAID=y
+# CONFIG_DM_ZERO is not set
+CONFIG_DM_MULTIPATH=y
+# CONFIG_DM_MULTIPATH_QL is not set
+# CONFIG_DM_MULTIPATH_ST is not set
+# CONFIG_DM_DELAY is not set
+CONFIG_DM_UEVENT=y
+# CONFIG_DM_FLAKEY is not set
+# CONFIG_DM_VERITY is not set
+# CONFIG_DM_SWITCH is not set
+# CONFIG_DM_LOG_WRITES is not set
+# CONFIG_TARGET_CORE is not set
+CONFIG_FUSION=y
+CONFIG_FUSION_SPI=y
+CONFIG_FUSION_FC=y
+CONFIG_FUSION_SAS=y
+CONFIG_FUSION_MAX_SGE=128
+# CONFIG_FUSION_CTL is not set
+# CONFIG_FUSION_LOGGING is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_MII=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+# CONFIG_DUMMY is not set
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_FC is not set
+# CONFIG_NET_TEAM is not set
+CONFIG_MACVLAN=y
+CONFIG_MACVTAP=y
+# CONFIG_VXLAN is not set
+# CONFIG_GENEVE is not set
+# CONFIG_GTP is not set
+# CONFIG_MACSEC is not set
+CONFIG_NETCONSOLE=y
+# CONFIG_NETCONSOLE_DYNAMIC is not set
+CONFIG_NETPOLL=y
+CONFIG_NET_POLL_CONTROLLER=y
+CONFIG_TUN=y
+# CONFIG_TUN_VNET_CROSS_LE is not set
+CONFIG_VETH=y
+CONFIG_VIRTIO_NET=y
+CONFIG_NLMON=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+CONFIG_ETHERNET=y
+# CONFIG_NET_VENDOR_3COM is not set
+# CONFIG_NET_VENDOR_ADAPTEC is not set
+# CONFIG_NET_VENDOR_AGERE is not set
+# CONFIG_NET_VENDOR_ALTEON is not set
+# CONFIG_ALTERA_TSE is not set
+# CONFIG_NET_VENDOR_AMAZON is not set
+# CONFIG_NET_VENDOR_AMD is not set
+# CONFIG_NET_VENDOR_ARC is not set
+# CONFIG_NET_VENDOR_ATHEROS is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+# CONFIG_NET_CADENCE is not set
+# CONFIG_NET_VENDOR_BROADCOM is not set
+# CONFIG_NET_VENDOR_BROCADE is not set
+# CONFIG_NET_VENDOR_CAVIUM is not set
+# CONFIG_NET_VENDOR_CHELSIO is not set
+# CONFIG_NET_VENDOR_CISCO is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+# CONFIG_NET_VENDOR_DEC is not set
+# CONFIG_NET_VENDOR_DLINK is not set
+# CONFIG_NET_VENDOR_EMULEX is not set
+# CONFIG_NET_VENDOR_EZCHIP is not set
+# CONFIG_NET_VENDOR_EXAR is not set
+# CONFIG_NET_VENDOR_HP is not set
+# CONFIG_NET_VENDOR_INTEL is not set
+# CONFIG_JME is not set
+# CONFIG_NET_VENDOR_MARVELL is not set
+# CONFIG_NET_VENDOR_MELLANOX is not set
+# CONFIG_NET_VENDOR_MICREL is not set
+CONFIG_NET_VENDOR_MICROCHIP=y
+# CONFIG_ENC28J60 is not set
+# CONFIG_ENCX24J600 is not set
+# CONFIG_NET_VENDOR_MYRI is not set
+# CONFIG_FEALNX is not set
+# CONFIG_NET_VENDOR_NATSEMI is not set
+# CONFIG_NET_VENDOR_NETRONOME is not set
+# CONFIG_NET_VENDOR_NVIDIA is not set
+# CONFIG_NET_VENDOR_OKI is not set
+# CONFIG_ETHOC is not set
+# CONFIG_NET_PACKET_ENGINE is not set
+# CONFIG_NET_VENDOR_QLOGIC is not set
+# CONFIG_NET_VENDOR_QUALCOMM is not set
+CONFIG_NET_VENDOR_REALTEK=y
+CONFIG_8139CP=y
+CONFIG_8139TOO=y
+CONFIG_8139TOO_PIO=y
+CONFIG_8139TOO_TUNE_TWISTER=y
+CONFIG_8139TOO_8129=y
+# CONFIG_8139_OLD_RX_RESET is not set
+CONFIG_R8169=y
+# CONFIG_NET_VENDOR_RENESAS is not set
+# CONFIG_NET_VENDOR_RDC is not set
+# CONFIG_NET_VENDOR_ROCKER is not set
+# CONFIG_NET_VENDOR_SAMSUNG is not set
+# CONFIG_NET_VENDOR_SEEQ is not set
+# CONFIG_NET_VENDOR_SILAN is not set
+# CONFIG_NET_VENDOR_SIS is not set
+# CONFIG_SFC is not set
+# CONFIG_NET_VENDOR_SMSC is not set
+# CONFIG_NET_VENDOR_STMICRO is not set
+# CONFIG_NET_VENDOR_SUN is not set
+# CONFIG_NET_VENDOR_SYNOPSYS is not set
+# CONFIG_NET_VENDOR_TEHUTI is not set
+# CONFIG_NET_VENDOR_TI is not set
+# CONFIG_NET_VENDOR_VIA is not set
+# CONFIG_NET_VENDOR_WIZNET is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+CONFIG_PHYLIB=y
+CONFIG_SWPHY=y
+
+#
+# MDIO bus device drivers
+#
+# CONFIG_MDIO_BCM_UNIMAC is not set
+# CONFIG_MDIO_BITBANG is not set
+# CONFIG_MDIO_BUS_MUX_GPIO is not set
+# CONFIG_MDIO_BUS_MUX_MMIOREG is not set
+# CONFIG_MDIO_HISI_FEMAC is not set
+# CONFIG_MDIO_OCTEON is not set
+# CONFIG_MDIO_THUNDER is not set
+
+#
+# MII PHY device drivers
+#
+# CONFIG_AMD_PHY is not set
+# CONFIG_AQUANTIA_PHY is not set
+# CONFIG_AT803X_PHY is not set
+# CONFIG_BCM7XXX_PHY is not set
+# CONFIG_BCM87XX_PHY is not set
+# CONFIG_BROADCOM_PHY is not set
+# CONFIG_CICADA_PHY is not set
+# CONFIG_DAVICOM_PHY is not set
+# CONFIG_DP83848_PHY is not set
+# CONFIG_DP83867_PHY is not set
+CONFIG_FIXED_PHY=y
+# CONFIG_ICPLUS_PHY is not set
+# CONFIG_INTEL_XWAY_PHY is not set
+# CONFIG_LSI_ET1011C_PHY is not set
+# CONFIG_LXT_PHY is not set
+# CONFIG_MARVELL_PHY is not set
+# CONFIG_MICREL_PHY is not set
+# CONFIG_MICROCHIP_PHY is not set
+# CONFIG_MICROSEMI_PHY is not set
+# CONFIG_NATIONAL_PHY is not set
+# CONFIG_QSEMI_PHY is not set
+# CONFIG_REALTEK_PHY is not set
+# CONFIG_SMSC_PHY is not set
+# CONFIG_STE10XP is not set
+# CONFIG_TERANETICS_PHY is not set
+# CONFIG_VITESSE_PHY is not set
+# CONFIG_XILINX_GMII2RGMII is not set
+# CONFIG_MICREL_KS8995MA is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+# CONFIG_USB_NET_DRIVERS is not set
+CONFIG_WLAN=y
+# CONFIG_WLAN_VENDOR_ADMTEK is not set
+# CONFIG_WLAN_VENDOR_ATH is not set
+# CONFIG_WLAN_VENDOR_ATMEL is not set
+# CONFIG_WLAN_VENDOR_BROADCOM is not set
+# CONFIG_WLAN_VENDOR_CISCO is not set
+CONFIG_WLAN_VENDOR_INTEL=y
+# CONFIG_IPW2100 is not set
+# CONFIG_IPW2200 is not set
+CONFIG_IWLEGACY=y
+# CONFIG_IWL4965 is not set
+CONFIG_IWL3945=y
+
+#
+# iwl3945 / iwl4965 Debugging Options
+#
+# CONFIG_IWLEGACY_DEBUG is not set
+CONFIG_IWLWIFI=y
+CONFIG_IWLWIFI_LEDS=y
+CONFIG_IWLDVM=y
+CONFIG_IWLMVM=y
+# CONFIG_IWLWIFI_BCAST_FILTERING is not set
+CONFIG_IWLWIFI_PCIE_RTPM=y
+
+#
+# Debugging Options
+#
+# CONFIG_IWLWIFI_DEBUG is not set
+# CONFIG_WLAN_VENDOR_INTERSIL is not set
+# CONFIG_WLAN_VENDOR_MARVELL is not set
+# CONFIG_WLAN_VENDOR_MEDIATEK is not set
+# CONFIG_WLAN_VENDOR_RALINK is not set
+# CONFIG_WLAN_VENDOR_REALTEK is not set
+# CONFIG_WLAN_VENDOR_RSI is not set
+# CONFIG_WLAN_VENDOR_ST is not set
+# CONFIG_WLAN_VENDOR_TI is not set
+# CONFIG_WLAN_VENDOR_ZYDAS is not set
+# CONFIG_MAC80211_HWSIM is not set
+# CONFIG_USB_NET_RNDIS_WLAN is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_FUJITSU_ES is not set
+# CONFIG_ISDN is not set
+# CONFIG_NVM is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+CONFIG_INPUT_LEDS=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+CONFIG_INPUT_SPARSEKMAP=y
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+# CONFIG_KEYBOARD_ADP5588 is not set
+# CONFIG_KEYBOARD_ADP5589 is not set
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_QT1070 is not set
+# CONFIG_KEYBOARD_QT2160 is not set
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_GPIO is not set
+# CONFIG_KEYBOARD_GPIO_POLLED is not set
+# CONFIG_KEYBOARD_TCA6416 is not set
+# CONFIG_KEYBOARD_TCA8418 is not set
+# CONFIG_KEYBOARD_MATRIX is not set
+# CONFIG_KEYBOARD_LM8323 is not set
+# CONFIG_KEYBOARD_LM8333 is not set
+# CONFIG_KEYBOARD_MAX7359 is not set
+# CONFIG_KEYBOARD_MCS is not set
+# CONFIG_KEYBOARD_MPR121 is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_SAMSUNG is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_OMAP4 is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+# CONFIG_KEYBOARD_CAP11XX is not set
+# CONFIG_KEYBOARD_BCM is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+# CONFIG_MOUSE_PS2_ALPS is not set
+# CONFIG_MOUSE_PS2_BYD is not set
+# CONFIG_MOUSE_PS2_LOGIPS2PP is not set
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+# CONFIG_MOUSE_PS2_CYPRESS is not set
+# CONFIG_MOUSE_PS2_LIFEBOOK is not set
+# CONFIG_MOUSE_PS2_TRACKPOINT is not set
+CONFIG_MOUSE_PS2_ELANTECH=y
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_FOCALTECH=y
+CONFIG_MOUSE_SERIAL=y
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_CYAPA is not set
+# CONFIG_MOUSE_ELAN_I2C is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_GPIO is not set
+CONFIG_MOUSE_SYNAPTICS_I2C=y
+CONFIG_MOUSE_SYNAPTICS_USB=y
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+# CONFIG_RMI4_CORE is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+CONFIG_SERIO_RAW=y
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_SERIO_APBPS2 is not set
+# CONFIG_USERIO is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_HW_CONSOLE=y
+CONFIG_VT_HW_CONSOLE_BINDING=y
+CONFIG_UNIX98_PTYS=y
+# CONFIG_LEGACY_PTYS is not set
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVMEM=y
+
+#
+# Serial drivers
+#
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y
+CONFIG_SERIAL_8250_PNP=y
+# CONFIG_SERIAL_8250_FINTEK is not set
+# CONFIG_SERIAL_8250_CONSOLE is not set
+CONFIG_SERIAL_8250_DMA=y
+CONFIG_SERIAL_8250_PCI=y
+CONFIG_SERIAL_8250_NR_UARTS=4
+CONFIG_SERIAL_8250_RUNTIME_UARTS=4
+# CONFIG_SERIAL_8250_EXTENDED is not set
+CONFIG_SERIAL_8250_DW=y
+# CONFIG_SERIAL_8250_RT288X is not set
+CONFIG_SERIAL_8250_LPSS=y
+CONFIG_SERIAL_8250_MID=y
+# CONFIG_SERIAL_8250_MOXA is not set
+# CONFIG_SERIAL_OF_PLATFORM is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MAX3100 is not set
+# CONFIG_SERIAL_MAX310X is not set
+# CONFIG_SERIAL_UARTLITE is not set
+CONFIG_SERIAL_CORE=y
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_SC16IS7XX is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_IFX6X60 is not set
+# CONFIG_SERIAL_XILINX_PS_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+# CONFIG_SERIAL_CONEXANT_DIGICOLOR is not set
+# CONFIG_TTY_PRINTK is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+CONFIG_HPET=y
+# CONFIG_HPET_MMAP is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+CONFIG_I2C=y
+CONFIG_ACPI_I2C_OPREGION=y
+CONFIG_I2C_BOARDINFO=y
+CONFIG_I2C_COMPAT=y
+CONFIG_I2C_CHARDEV=y
+CONFIG_I2C_MUX=y
+
+#
+# Multiplexer I2C Chip support
+#
+# CONFIG_I2C_ARB_GPIO_CHALLENGE is not set
+CONFIG_I2C_MUX_GPIO=y
+# CONFIG_I2C_MUX_PCA9541 is not set
+# CONFIG_I2C_MUX_PCA954x is not set
+# CONFIG_I2C_MUX_PINCTRL is not set
+CONFIG_I2C_MUX_REG=y
+# CONFIG_I2C_DEMUX_PINCTRL is not set
+CONFIG_I2C_HELPER_AUTO=y
+CONFIG_I2C_SMBUS=y
+CONFIG_I2C_ALGOBIT=y
+
+#
+# I2C Hardware Bus support
+#
+
+#
+# PC SMBus host controller drivers
+#
+# CONFIG_I2C_ALI1535 is not set
+# CONFIG_I2C_ALI1563 is not set
+# CONFIG_I2C_ALI15X3 is not set
+# CONFIG_I2C_AMD756 is not set
+# CONFIG_I2C_AMD8111 is not set
+CONFIG_I2C_I801=y
+# CONFIG_I2C_ISCH is not set
+# CONFIG_I2C_ISMT is not set
+# CONFIG_I2C_PIIX4 is not set
+# CONFIG_I2C_NFORCE2 is not set
+# CONFIG_I2C_SIS5595 is not set
+# CONFIG_I2C_SIS630 is not set
+# CONFIG_I2C_SIS96X is not set
+# CONFIG_I2C_VIA is not set
+# CONFIG_I2C_VIAPRO is not set
+
+#
+# ACPI drivers
+#
+CONFIG_I2C_SCMI=y
+
+#
+# I2C system bus drivers (mostly embedded / system-on-chip)
+#
+# CONFIG_I2C_CBUS_GPIO is not set
+CONFIG_I2C_DESIGNWARE_CORE=y
+CONFIG_I2C_DESIGNWARE_PLATFORM=y
+CONFIG_I2C_DESIGNWARE_PCI=y
+# CONFIG_I2C_DESIGNWARE_BAYTRAIL is not set
+# CONFIG_I2C_EMEV2 is not set
+# CONFIG_I2C_GPIO is not set
+# CONFIG_I2C_OCORES is not set
+# CONFIG_I2C_PCA_PLATFORM is not set
+# CONFIG_I2C_PXA_PCI is not set
+# CONFIG_I2C_RK3X is not set
+# CONFIG_I2C_SIMTEC is not set
+# CONFIG_I2C_XILINX is not set
+
+#
+# External I2C/SMBus adapter drivers
+#
+# CONFIG_I2C_DIOLAN_U2C is not set
+# CONFIG_I2C_PARPORT_LIGHT is not set
+# CONFIG_I2C_ROBOTFUZZ_OSIF is not set
+# CONFIG_I2C_TAOS_EVM is not set
+# CONFIG_I2C_TINY_USB is not set
+
+#
+# Other I2C/SMBus bus drivers
+#
+# CONFIG_I2C_STUB is not set
+CONFIG_I2C_SLAVE=y
+# CONFIG_I2C_SLAVE_EEPROM is not set
+# CONFIG_I2C_DEBUG_CORE is not set
+# CONFIG_I2C_DEBUG_ALGO is not set
+# CONFIG_I2C_DEBUG_BUS is not set
+CONFIG_SPI=y
+# CONFIG_SPI_DEBUG is not set
+CONFIG_SPI_MASTER=y
+
+#
+# SPI Master Controller Drivers
+#
+# CONFIG_SPI_ALTERA is not set
+# CONFIG_SPI_AXI_SPI_ENGINE is not set
+CONFIG_SPI_BITBANG=y
+# CONFIG_SPI_CADENCE is not set
+CONFIG_SPI_DESIGNWARE=y
+CONFIG_SPI_DW_PCI=y
+# CONFIG_SPI_DW_MID_DMA is not set
+CONFIG_SPI_DW_MMIO=y
+CONFIG_SPI_GPIO=y
+# CONFIG_SPI_FSL_SPI is not set
+# CONFIG_SPI_OC_TINY is not set
+# CONFIG_SPI_PXA2XX is not set
+# CONFIG_SPI_PXA2XX_PCI is not set
+# CONFIG_SPI_ROCKCHIP is not set
+# CONFIG_SPI_SC18IS602 is not set
+# CONFIG_SPI_XCOMM is not set
+# CONFIG_SPI_XILINX is not set
+# CONFIG_SPI_ZYNQMP_GQSPI is not set
+
+#
+# SPI Protocol Masters
+#
+# CONFIG_SPI_SPIDEV is not set
+# CONFIG_SPI_LOOPBACK_TEST is not set
+# CONFIG_SPI_TLE62X0 is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+CONFIG_PPS=y
+# CONFIG_PPS_DEBUG is not set
+
+#
+# PPS clients support
+#
+# CONFIG_PPS_CLIENT_KTIMER is not set
+# CONFIG_PPS_CLIENT_LDISC is not set
+# CONFIG_PPS_CLIENT_GPIO is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+CONFIG_PTP_1588_CLOCK=y
+# CONFIG_DP83640_PHY is not set
+CONFIG_PINCTRL=y
+
+#
+# Pin controllers
+#
+# CONFIG_DEBUG_PINCTRL is not set
+# CONFIG_PINCTRL_AMD is not set
+# CONFIG_PINCTRL_SINGLE is not set
+# CONFIG_PINCTRL_BAYTRAIL is not set
+# CONFIG_PINCTRL_CHERRYVIEW is not set
+# CONFIG_PINCTRL_BROXTON is not set
+# CONFIG_PINCTRL_SUNRISEPOINT is not set
+CONFIG_GPIOLIB=y
+CONFIG_OF_GPIO=y
+CONFIG_GPIO_ACPI=y
+# CONFIG_DEBUG_GPIO is not set
+CONFIG_GPIO_SYSFS=y
+
+#
+# Memory mapped GPIO drivers
+#
+# CONFIG_GPIO_74XX_MMIO is not set
+# CONFIG_GPIO_ALTERA is not set
+# CONFIG_GPIO_AMDPT is not set
+# CONFIG_GPIO_DWAPB is not set
+# CONFIG_GPIO_GENERIC_PLATFORM is not set
+# CONFIG_GPIO_GRGPIO is not set
+CONFIG_GPIO_ICH=y
+# CONFIG_GPIO_LYNXPOINT is not set
+# CONFIG_GPIO_MOCKUP is not set
+# CONFIG_GPIO_VX855 is not set
+# CONFIG_GPIO_XILINX is not set
+# CONFIG_GPIO_ZX is not set
+
+#
+# Port-mapped I/O GPIO drivers
+#
+# CONFIG_GPIO_F7188X is not set
+# CONFIG_GPIO_IT87 is not set
+# CONFIG_GPIO_SCH is not set
+# CONFIG_GPIO_SCH311X is not set
+
+#
+# I2C GPIO expanders
+#
+# CONFIG_GPIO_ADP5588 is not set
+# CONFIG_GPIO_ADNP is not set
+# CONFIG_GPIO_MAX7300 is not set
+# CONFIG_GPIO_MAX732X is not set
+# CONFIG_GPIO_PCA953X is not set
+# CONFIG_GPIO_PCF857X is not set
+# CONFIG_GPIO_SX150X is not set
+# CONFIG_GPIO_TPIC2810 is not set
+# CONFIG_GPIO_TS4900 is not set
+
+#
+# MFD GPIO expanders
+#
+
+#
+# PCI GPIO expanders
+#
+# CONFIG_GPIO_AMD8111 is not set
+# CONFIG_GPIO_BT8XX is not set
+# CONFIG_GPIO_ML_IOH is not set
+# CONFIG_GPIO_RDC321X is not set
+# CONFIG_GPIO_SODAVILLE is not set
+
+#
+# SPI GPIO expanders
+#
+# CONFIG_GPIO_74X164 is not set
+# CONFIG_GPIO_MAX7301 is not set
+# CONFIG_GPIO_MC33880 is not set
+# CONFIG_GPIO_PISOSR is not set
+
+#
+# SPI or I2C GPIO expanders
+#
+# CONFIG_GPIO_MCP23S08 is not set
+
+#
+# USB GPIO expanders
+#
+# CONFIG_W1 is not set
+# CONFIG_POWER_AVS is not set
+# CONFIG_POWER_RESET is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_DS2782 is not set
+# CONFIG_BATTERY_SBS is not set
+# CONFIG_BATTERY_BQ27XXX is not set
+# CONFIG_BATTERY_MAX17040 is not set
+# CONFIG_BATTERY_MAX17042 is not set
+# CONFIG_CHARGER_ISP1704 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_CHARGER_LP8727 is not set
+# CONFIG_CHARGER_GPIO is not set
+# CONFIG_CHARGER_BQ2415X is not set
+# CONFIG_CHARGER_BQ24190 is not set
+# CONFIG_CHARGER_BQ24257 is not set
+# CONFIG_CHARGER_BQ24735 is not set
+# CONFIG_CHARGER_BQ25890 is not set
+# CONFIG_CHARGER_SMB347 is not set
+# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_CHARGER_RT9455 is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_AD7314 is not set
+# CONFIG_SENSORS_AD7414 is not set
+# CONFIG_SENSORS_AD7418 is not set
+# CONFIG_SENSORS_ADM1021 is not set
+# CONFIG_SENSORS_ADM1025 is not set
+# CONFIG_SENSORS_ADM1026 is not set
+# CONFIG_SENSORS_ADM1029 is not set
+# CONFIG_SENSORS_ADM1031 is not set
+# CONFIG_SENSORS_ADM9240 is not set
+# CONFIG_SENSORS_ADT7310 is not set
+# CONFIG_SENSORS_ADT7410 is not set
+# CONFIG_SENSORS_ADT7411 is not set
+# CONFIG_SENSORS_ADT7462 is not set
+# CONFIG_SENSORS_ADT7470 is not set
+# CONFIG_SENSORS_ADT7475 is not set
+# CONFIG_SENSORS_ASC7621 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_ASB100 is not set
+# CONFIG_SENSORS_ATXP1 is not set
+# CONFIG_SENSORS_DS620 is not set
+# CONFIG_SENSORS_DS1621 is not set
+# CONFIG_SENSORS_DELL_SMM is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_F75375S is not set
+# CONFIG_SENSORS_FSCHMD is not set
+# CONFIG_SENSORS_FTSTEUTATES is not set
+# CONFIG_SENSORS_GL518SM is not set
+# CONFIG_SENSORS_GL520SM is not set
+# CONFIG_SENSORS_G760A is not set
+# CONFIG_SENSORS_G762 is not set
+# CONFIG_SENSORS_GPIO_FAN is not set
+# CONFIG_SENSORS_HIH6130 is not set
+# CONFIG_SENSORS_I5500 is not set
+CONFIG_SENSORS_CORETEMP=y
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_JC42 is not set
+# CONFIG_SENSORS_POWR1220 is not set
+# CONFIG_SENSORS_LINEAGE is not set
+# CONFIG_SENSORS_LTC2945 is not set
+# CONFIG_SENSORS_LTC2990 is not set
+# CONFIG_SENSORS_LTC4151 is not set
+# CONFIG_SENSORS_LTC4215 is not set
+# CONFIG_SENSORS_LTC4222 is not set
+# CONFIG_SENSORS_LTC4245 is not set
+# CONFIG_SENSORS_LTC4260 is not set
+# CONFIG_SENSORS_LTC4261 is not set
+# CONFIG_SENSORS_MAX1111 is not set
+# CONFIG_SENSORS_MAX16065 is not set
+# CONFIG_SENSORS_MAX1619 is not set
+# CONFIG_SENSORS_MAX1668 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_MAX31722 is not set
+# CONFIG_SENSORS_MAX6639 is not set
+# CONFIG_SENSORS_MAX6642 is not set
+# CONFIG_SENSORS_MAX6650 is not set
+# CONFIG_SENSORS_MAX6697 is not set
+# CONFIG_SENSORS_MAX31790 is not set
+# CONFIG_SENSORS_MCP3021 is not set
+# CONFIG_SENSORS_ADCXX is not set
+# CONFIG_SENSORS_LM63 is not set
+# CONFIG_SENSORS_LM70 is not set
+# CONFIG_SENSORS_LM73 is not set
+# CONFIG_SENSORS_LM75 is not set
+# CONFIG_SENSORS_LM77 is not set
+# CONFIG_SENSORS_LM78 is not set
+# CONFIG_SENSORS_LM80 is not set
+# CONFIG_SENSORS_LM83 is not set
+# CONFIG_SENSORS_LM85 is not set
+# CONFIG_SENSORS_LM87 is not set
+# CONFIG_SENSORS_LM90 is not set
+# CONFIG_SENSORS_LM92 is not set
+# CONFIG_SENSORS_LM93 is not set
+# CONFIG_SENSORS_LM95234 is not set
+# CONFIG_SENSORS_LM95241 is not set
+# CONFIG_SENSORS_LM95245 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_NCT7802 is not set
+# CONFIG_SENSORS_NCT7904 is not set
+# CONFIG_SENSORS_PCF8591 is not set
+# CONFIG_PMBUS is not set
+# CONFIG_SENSORS_SHT15 is not set
+# CONFIG_SENSORS_SHT21 is not set
+# CONFIG_SENSORS_SHT3x is not set
+# CONFIG_SENSORS_SHTC1 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_DME1737 is not set
+# CONFIG_SENSORS_EMC1403 is not set
+# CONFIG_SENSORS_EMC2103 is not set
+# CONFIG_SENSORS_EMC6W201 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47M192 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_SCH5627 is not set
+# CONFIG_SENSORS_SCH5636 is not set
+# CONFIG_SENSORS_SMM665 is not set
+# CONFIG_SENSORS_ADC128D818 is not set
+# CONFIG_SENSORS_ADS1015 is not set
+# CONFIG_SENSORS_ADS7828 is not set
+# CONFIG_SENSORS_ADS7871 is not set
+# CONFIG_SENSORS_AMC6821 is not set
+# CONFIG_SENSORS_INA209 is not set
+# CONFIG_SENSORS_INA2XX is not set
+# CONFIG_SENSORS_INA3221 is not set
+# CONFIG_SENSORS_TC74 is not set
+# CONFIG_SENSORS_THMC50 is not set
+# CONFIG_SENSORS_TMP102 is not set
+# CONFIG_SENSORS_TMP103 is not set
+# CONFIG_SENSORS_TMP401 is not set
+# CONFIG_SENSORS_TMP421 is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83781D is not set
+# CONFIG_SENSORS_W83791D is not set
+# CONFIG_SENSORS_W83792D is not set
+# CONFIG_SENSORS_W83793 is not set
+# CONFIG_SENSORS_W83795 is not set
+# CONFIG_SENSORS_W83L785TS is not set
+# CONFIG_SENSORS_W83L786NG is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+CONFIG_SENSORS_ACPI_POWER=y
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_OF=y
+CONFIG_THERMAL_WRITABLE_TRIPS=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+CONFIG_THERMAL_GOV_USER_SPACE=y
+CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_QORIQ_THERMAL is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+CONFIG_X86_PKG_TEMP_THERMAL=y
+CONFIG_INTEL_SOC_DTS_IOSF_CORE=y
+CONFIG_INTEL_SOC_DTS_THERMAL=y
+
+#
+# ACPI INT340X thermal drivers
+#
+# CONFIG_INT340X_THERMAL is not set
+CONFIG_INTEL_PCH_THERMAL=y
+CONFIG_WATCHDOG=y
+CONFIG_WATCHDOG_CORE=y
+CONFIG_WATCHDOG_NOWAYOUT=y
+CONFIG_WATCHDOG_SYSFS=y
+
+#
+# Watchdog Device Drivers
+#
+# CONFIG_SOFT_WATCHDOG is not set
+# CONFIG_GPIO_WATCHDOG is not set
+# CONFIG_WDAT_WDT is not set
+# CONFIG_XILINX_WATCHDOG is not set
+# CONFIG_ZIIRAVE_WATCHDOG is not set
+# CONFIG_CADENCE_WATCHDOG is not set
+# CONFIG_DW_WATCHDOG is not set
+# CONFIG_MAX63XX_WATCHDOG is not set
+# CONFIG_ACQUIRE_WDT is not set
+# CONFIG_ADVANTECH_WDT is not set
+# CONFIG_ALIM1535_WDT is not set
+# CONFIG_ALIM7101_WDT is not set
+# CONFIG_F71808E_WDT is not set
+# CONFIG_SP5100_TCO is not set
+# CONFIG_SBC_FITPC2_WATCHDOG is not set
+# CONFIG_EUROTECH_WDT is not set
+# CONFIG_IB700_WDT is not set
+# CONFIG_IBMASR is not set
+# CONFIG_WAFER_WDT is not set
+# CONFIG_I6300ESB_WDT is not set
+# CONFIG_IE6XX_WDT is not set
+CONFIG_ITCO_WDT=y
+CONFIG_ITCO_VENDOR_SUPPORT=y
+# CONFIG_IT8712F_WDT is not set
+# CONFIG_IT87_WDT is not set
+# CONFIG_HP_WATCHDOG is not set
+# CONFIG_SC1200_WDT is not set
+# CONFIG_PC87413_WDT is not set
+# CONFIG_NV_TCO is not set
+# CONFIG_60XX_WDT is not set
+# CONFIG_CPU5_WDT is not set
+# CONFIG_SMSC_SCH311X_WDT is not set
+# CONFIG_SMSC37B787_WDT is not set
+# CONFIG_VIA_WDT is not set
+# CONFIG_W83627HF_WDT is not set
+# CONFIG_W83877F_WDT is not set
+# CONFIG_W83977F_WDT is not set
+# CONFIG_MACHZ_WDT is not set
+# CONFIG_SBC_EPX_C3_WATCHDOG is not set
+CONFIG_INTEL_MEI_WDT=y
+# CONFIG_NI903X_WDT is not set
+# CONFIG_MEN_A21_WDT is not set
+
+#
+# PCI-based Watchdog Cards
+#
+# CONFIG_PCIPCWATCHDOG is not set
+# CONFIG_WDTPCI is not set
+
+#
+# USB-based Watchdog Cards
+#
+# CONFIG_USBPCWATCHDOG is not set
+
+#
+# Watchdog Pretimeout Governors
+#
+# CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+CONFIG_SSB=y
+CONFIG_SSB_SPROM=y
+CONFIG_SSB_PCIHOST_POSSIBLE=y
+CONFIG_SSB_PCIHOST=y
+# CONFIG_SSB_B43_PCI_BRIDGE is not set
+CONFIG_SSB_SDIOHOST_POSSIBLE=y
+# CONFIG_SSB_SDIOHOST is not set
+# CONFIG_SSB_SILENT is not set
+# CONFIG_SSB_DEBUG is not set
+CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y
+CONFIG_SSB_DRIVER_PCICORE=y
+# CONFIG_SSB_DRIVER_GPIO is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+CONFIG_MFD_CORE=y
+# CONFIG_MFD_ACT8945A is not set
+# CONFIG_MFD_AS3711 is not set
+# CONFIG_MFD_AS3722 is not set
+# CONFIG_PMIC_ADP5520 is not set
+# CONFIG_MFD_AAT2870_CORE is not set
+# CONFIG_MFD_ATMEL_FLEXCOM is not set
+# CONFIG_MFD_ATMEL_HLCDC is not set
+# CONFIG_MFD_BCM590XX is not set
+# CONFIG_MFD_AXP20X_I2C is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_PMIC_DA903X is not set
+# CONFIG_MFD_DA9052_SPI is not set
+# CONFIG_MFD_DA9052_I2C is not set
+# CONFIG_MFD_DA9055 is not set
+# CONFIG_MFD_DA9062 is not set
+# CONFIG_MFD_DA9063 is not set
+# CONFIG_MFD_DA9150 is not set
+# CONFIG_MFD_DLN2 is not set
+# CONFIG_MFD_EXYNOS_LPASS is not set
+# CONFIG_MFD_MC13XXX_SPI is not set
+# CONFIG_MFD_MC13XXX_I2C is not set
+# CONFIG_MFD_HI6421_PMIC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_HTC_I2CPLD is not set
+# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set
+CONFIG_LPC_ICH=y
+# CONFIG_LPC_SCH is not set
+# CONFIG_INTEL_SOC_PMIC is not set
+# CONFIG_MFD_INTEL_LPSS_ACPI is not set
+# CONFIG_MFD_INTEL_LPSS_PCI is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_88PM800 is not set
+# CONFIG_MFD_88PM805 is not set
+# CONFIG_MFD_88PM860X is not set
+# CONFIG_MFD_MAX14577 is not set
+# CONFIG_MFD_MAX77620 is not set
+# CONFIG_MFD_MAX77686 is not set
+# CONFIG_MFD_MAX77693 is not set
+# CONFIG_MFD_MAX77843 is not set
+# CONFIG_MFD_MAX8907 is not set
+# CONFIG_MFD_MAX8925 is not set
+# CONFIG_MFD_MAX8997 is not set
+# CONFIG_MFD_MAX8998 is not set
+# CONFIG_MFD_MT6397 is not set
+# CONFIG_MFD_MENF21BMC is not set
+# CONFIG_EZX_PCAP is not set
+# CONFIG_MFD_VIPERBOARD is not set
+# CONFIG_MFD_RETU is not set
+# CONFIG_MFD_PCF50633 is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_RT5033 is not set
+# CONFIG_MFD_RTSX_USB is not set
+# CONFIG_MFD_RC5T583 is not set
+# CONFIG_MFD_RK808 is not set
+# CONFIG_MFD_RN5T618 is not set
+# CONFIG_MFD_SEC_CORE is not set
+# CONFIG_MFD_SI476X_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_MFD_SKY81452 is not set
+# CONFIG_MFD_SMSC is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_STMPE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_LP3943 is not set
+# CONFIG_MFD_LP8788 is not set
+# CONFIG_MFD_PALMAS is not set
+# CONFIG_TPS6105X is not set
+# CONFIG_TPS65010 is not set
+# CONFIG_TPS6507X is not set
+# CONFIG_MFD_TPS65086 is not set
+# CONFIG_MFD_TPS65090 is not set
+# CONFIG_MFD_TPS65217 is not set
+# CONFIG_MFD_TI_LP873X is not set
+# CONFIG_MFD_TPS65218 is not set
+# CONFIG_MFD_TPS6586X is not set
+# CONFIG_MFD_TPS65910 is not set
+# CONFIG_MFD_TPS65912_I2C is not set
+# CONFIG_MFD_TPS65912_SPI is not set
+# CONFIG_MFD_TPS80031 is not set
+# CONFIG_TWL4030_CORE is not set
+# CONFIG_TWL6040_CORE is not set
+# CONFIG_MFD_WL1273_CORE is not set
+# CONFIG_MFD_LM3533 is not set
+# CONFIG_MFD_TC3589X is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_MFD_ARIZONA_I2C is not set
+# CONFIG_MFD_ARIZONA_SPI is not set
+# CONFIG_MFD_WM8400 is not set
+# CONFIG_MFD_WM831X_I2C is not set
+# CONFIG_MFD_WM831X_SPI is not set
+# CONFIG_MFD_WM8350_I2C is not set
+# CONFIG_MFD_WM8994 is not set
+# CONFIG_REGULATOR is not set
+CONFIG_MEDIA_SUPPORT=y
+
+#
+# Multimedia core support
+#
+CONFIG_MEDIA_CAMERA_SUPPORT=y
+# CONFIG_MEDIA_ANALOG_TV_SUPPORT is not set
+# CONFIG_MEDIA_DIGITAL_TV_SUPPORT is not set
+# CONFIG_MEDIA_RADIO_SUPPORT is not set
+# CONFIG_MEDIA_SDR_SUPPORT is not set
+# CONFIG_MEDIA_RC_SUPPORT is not set
+# CONFIG_MEDIA_CONTROLLER is not set
+CONFIG_VIDEO_DEV=y
+CONFIG_VIDEO_V4L2=y
+# CONFIG_VIDEO_ADV_DEBUG is not set
+# CONFIG_VIDEO_FIXED_MINOR_RANGES is not set
+CONFIG_VIDEOBUF_GEN=m
+CONFIG_VIDEOBUF2_CORE=m
+CONFIG_VIDEOBUF2_MEMOPS=m
+CONFIG_VIDEOBUF2_VMALLOC=m
+# CONFIG_TTPCI_EEPROM is not set
+
+#
+# Media drivers
+#
+CONFIG_MEDIA_USB_SUPPORT=y
+
+#
+# Webcam devices
+#
+CONFIG_USB_VIDEO_CLASS=m
+CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y
+CONFIG_USB_GSPCA=m
+# CONFIG_USB_M5602 is not set
+# CONFIG_USB_STV06XX is not set
+# CONFIG_USB_GL860 is not set
+# CONFIG_USB_GSPCA_BENQ is not set
+# CONFIG_USB_GSPCA_CONEX is not set
+# CONFIG_USB_GSPCA_CPIA1 is not set
+# CONFIG_USB_GSPCA_DTCS033 is not set
+# CONFIG_USB_GSPCA_ETOMS is not set
+# CONFIG_USB_GSPCA_FINEPIX is not set
+# CONFIG_USB_GSPCA_JEILINJ is not set
+# CONFIG_USB_GSPCA_JL2005BCD is not set
+# CONFIG_USB_GSPCA_KINECT is not set
+# CONFIG_USB_GSPCA_KONICA is not set
+# CONFIG_USB_GSPCA_MARS is not set
+# CONFIG_USB_GSPCA_MR97310A is not set
+# CONFIG_USB_GSPCA_NW80X is not set
+# CONFIG_USB_GSPCA_OV519 is not set
+# CONFIG_USB_GSPCA_OV534 is not set
+# CONFIG_USB_GSPCA_OV534_9 is not set
+# CONFIG_USB_GSPCA_PAC207 is not set
+# CONFIG_USB_GSPCA_PAC7302 is not set
+# CONFIG_USB_GSPCA_PAC7311 is not set
+# CONFIG_USB_GSPCA_SE401 is not set
+# CONFIG_USB_GSPCA_SN9C2028 is not set
+# CONFIG_USB_GSPCA_SN9C20X is not set
+# CONFIG_USB_GSPCA_SONIXB is not set
+# CONFIG_USB_GSPCA_SONIXJ is not set
+# CONFIG_USB_GSPCA_SPCA500 is not set
+# CONFIG_USB_GSPCA_SPCA501 is not set
+# CONFIG_USB_GSPCA_SPCA505 is not set
+# CONFIG_USB_GSPCA_SPCA506 is not set
+# CONFIG_USB_GSPCA_SPCA508 is not set
+# CONFIG_USB_GSPCA_SPCA561 is not set
+# CONFIG_USB_GSPCA_SPCA1528 is not set
+# CONFIG_USB_GSPCA_SQ905 is not set
+# CONFIG_USB_GSPCA_SQ905C is not set
+# CONFIG_USB_GSPCA_SQ930X is not set
+# CONFIG_USB_GSPCA_STK014 is not set
+# CONFIG_USB_GSPCA_STK1135 is not set
+# CONFIG_USB_GSPCA_STV0680 is not set
+# CONFIG_USB_GSPCA_SUNPLUS is not set
+# CONFIG_USB_GSPCA_T613 is not set
+# CONFIG_USB_GSPCA_TOPRO is not set
+# CONFIG_USB_GSPCA_TOUPTEK is not set
+# CONFIG_USB_GSPCA_TV8532 is not set
+# CONFIG_USB_GSPCA_VC032X is not set
+# CONFIG_USB_GSPCA_VICAM is not set
+# CONFIG_USB_GSPCA_XIRLINK_CIT is not set
+# CONFIG_USB_GSPCA_ZC3XX is not set
+# CONFIG_USB_PWC is not set
+# CONFIG_VIDEO_CPIA2 is not set
+# CONFIG_USB_ZR364XX is not set
+# CONFIG_USB_STKWEBCAM is not set
+# CONFIG_USB_S2255 is not set
+# CONFIG_VIDEO_USBTV is not set
+
+#
+# Webcam, TV (analog/digital) USB devices
+#
+# CONFIG_VIDEO_EM28XX is not set
+# CONFIG_MEDIA_PCI_SUPPORT is not set
+CONFIG_V4L_PLATFORM_DRIVERS=y
+# CONFIG_VIDEO_CAFE_CCIC is not set
+CONFIG_SOC_CAMERA=m
+CONFIG_SOC_CAMERA_PLATFORM=m
+# CONFIG_V4L_MEM2MEM_DRIVERS is not set
+# CONFIG_V4L_TEST_DRIVERS is not set
+
+#
+# Supported MMC/SDIO adapters
+#
+# CONFIG_CYPRESS_FIRMWARE is not set
+
+#
+# Media ancillary drivers (tuners, sensors, i2c, spi, frontends)
+#
+CONFIG_MEDIA_SUBDRV_AUTOSELECT=y
+
+#
+# Audio decoders, processors and mixers
+#
+
+#
+# RDS decoders
+#
+
+#
+# Video decoders
+#
+
+#
+# Video and audio decoders
+#
+
+#
+# Video encoders
+#
+
+#
+# Camera sensor devices
+#
+
+#
+# Flash devices
+#
+
+#
+# Video improvement chips
+#
+
+#
+# Audio/Video compression chips
+#
+
+#
+# Miscellaneous helper chips
+#
+
+#
+# Sensors used on soc_camera driver
+#
+
+#
+# soc_camera sensor drivers
+#
+# CONFIG_SOC_CAMERA_IMX074 is not set
+# CONFIG_SOC_CAMERA_MT9M001 is not set
+# CONFIG_SOC_CAMERA_MT9M111 is not set
+# CONFIG_SOC_CAMERA_MT9T031 is not set
+# CONFIG_SOC_CAMERA_MT9T112 is not set
+# CONFIG_SOC_CAMERA_MT9V022 is not set
+# CONFIG_SOC_CAMERA_OV2640 is not set
+# CONFIG_SOC_CAMERA_OV5642 is not set
+# CONFIG_SOC_CAMERA_OV6650 is not set
+# CONFIG_SOC_CAMERA_OV772X is not set
+# CONFIG_SOC_CAMERA_OV9640 is not set
+# CONFIG_SOC_CAMERA_OV9740 is not set
+# CONFIG_SOC_CAMERA_RJ54N1 is not set
+# CONFIG_SOC_CAMERA_TW9910 is not set
+
+#
+# Tools to develop new frontends
+#
+# CONFIG_DVB_DUMMY_FE is not set
+
+#
+# Graphics support
+#
+CONFIG_AGP=y
+CONFIG_AGP_INTEL=y
+# CONFIG_AGP_SIS is not set
+# CONFIG_AGP_VIA is not set
+CONFIG_INTEL_GTT=y
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=1
+# CONFIG_VGA_SWITCHEROO is not set
+CONFIG_DRM=y
+CONFIG_DRM_MIPI_DSI=y
+CONFIG_DRM_DP_AUX_CHARDEV=y
+CONFIG_DRM_KMS_HELPER=y
+CONFIG_DRM_KMS_FB_HELPER=y
+CONFIG_DRM_FBDEV_EMULATION=y
+# CONFIG_DRM_LOAD_EDID_FIRMWARE is not set
+CONFIG_DRM_TTM=y
+
+#
+# I2C encoder or helper chips
+#
+# CONFIG_DRM_I2C_CH7006 is not set
+# CONFIG_DRM_I2C_SIL164 is not set
+# CONFIG_DRM_I2C_NXP_TDA998X is not set
+# CONFIG_DRM_RADEON is not set
+# CONFIG_DRM_AMDGPU is not set
+
+#
+# ACP (Audio CoProcessor) Configuration
+#
+# CONFIG_DRM_NOUVEAU is not set
+CONFIG_DRM_I915=y
+# CONFIG_DRM_I915_PRELIMINARY_HW_SUPPORT is not set
+CONFIG_DRM_I915_USERPTR=y
+CONFIG_DRM_I915_GVT=y
+
+#
+# drm/i915 Debugging
+#
+# CONFIG_DRM_I915_WERROR is not set
+# CONFIG_DRM_I915_DEBUG is not set
+CONFIG_DRM_VGEM=y
+# CONFIG_DRM_VMWGFX is not set
+# CONFIG_DRM_GMA500 is not set
+# CONFIG_DRM_UDL is not set
+# CONFIG_DRM_AST is not set
+# CONFIG_DRM_MGAG200 is not set
+# CONFIG_DRM_CIRRUS_QEMU is not set
+# CONFIG_DRM_QXL is not set
+CONFIG_DRM_BOCHS=y
+CONFIG_DRM_VIRTIO_GPU=y
+CONFIG_DRM_PANEL=y
+
+#
+# Display Panels
+#
+# CONFIG_DRM_PANEL_SIMPLE is not set
+# CONFIG_DRM_PANEL_JDI_LT070ME05000 is not set
+# CONFIG_DRM_PANEL_SAMSUNG_LD9040 is not set
+# CONFIG_DRM_PANEL_LG_LG4573 is not set
+# CONFIG_DRM_PANEL_PANASONIC_VVX10F034N00 is not set
+# CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0 is not set
+# CONFIG_DRM_PANEL_SHARP_LQ101R1SX01 is not set
+# CONFIG_DRM_PANEL_SHARP_LS043T1LE01 is not set
+CONFIG_DRM_BRIDGE=y
+
+#
+# Display Interface Bridges
+#
+# CONFIG_DRM_ANALOGIX_ANX78XX is not set
+# CONFIG_DRM_DUMB_VGA_DAC is not set
+# CONFIG_DRM_NXP_PTN3460 is not set
+# CONFIG_DRM_PARADE_PS8622 is not set
+# CONFIG_DRM_SII902X is not set
+# CONFIG_DRM_TOSHIBA_TC358767 is not set
+# CONFIG_DRM_I2C_ADV7511 is not set
+# CONFIG_DRM_ARCPGU is not set
+# CONFIG_DRM_LEGACY is not set
+
+#
+# Frame buffer Devices
+#
+CONFIG_FB=y
+# CONFIG_FIRMWARE_EDID is not set
+CONFIG_FB_CMDLINE=y
+CONFIG_FB_NOTIFY=y
+# CONFIG_FB_DDC is not set
+CONFIG_FB_BOOT_VESA_SUPPORT=y
+CONFIG_FB_CFB_FILLRECT=y
+CONFIG_FB_CFB_COPYAREA=y
+CONFIG_FB_CFB_IMAGEBLIT=y
+# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set
+CONFIG_FB_SYS_FILLRECT=y
+CONFIG_FB_SYS_COPYAREA=y
+CONFIG_FB_SYS_IMAGEBLIT=y
+# CONFIG_FB_FOREIGN_ENDIAN is not set
+CONFIG_FB_SYS_FOPS=y
+CONFIG_FB_DEFERRED_IO=y
+# CONFIG_FB_SVGALIB is not set
+# CONFIG_FB_MACMODES is not set
+# CONFIG_FB_BACKLIGHT is not set
+# CONFIG_FB_MODE_HELPERS is not set
+# CONFIG_FB_TILEBLITTING is not set
+
+#
+# Frame buffer hardware drivers
+#
+# CONFIG_FB_CIRRUS is not set
+# CONFIG_FB_PM2 is not set
+# CONFIG_FB_CYBER2000 is not set
+# CONFIG_FB_ARC is not set
+# CONFIG_FB_ASILIANT is not set
+# CONFIG_FB_IMSTT is not set
+# CONFIG_FB_VGA16 is not set
+# CONFIG_FB_UVESA is not set
+CONFIG_FB_VESA=y
+CONFIG_FB_EFI=y
+# CONFIG_FB_N411 is not set
+# CONFIG_FB_HGA is not set
+# CONFIG_FB_OPENCORES is not set
+# CONFIG_FB_S1D13XXX is not set
+# CONFIG_FB_NVIDIA is not set
+# CONFIG_FB_RIVA is not set
+# CONFIG_FB_I740 is not set
+# CONFIG_FB_LE80578 is not set
+# CONFIG_FB_MATROX is not set
+# CONFIG_FB_RADEON is not set
+# CONFIG_FB_ATY128 is not set
+# CONFIG_FB_ATY is not set
+# CONFIG_FB_S3 is not set
+# CONFIG_FB_SAVAGE is not set
+# CONFIG_FB_SIS is not set
+# CONFIG_FB_VIA is not set
+# CONFIG_FB_NEOMAGIC is not set
+# CONFIG_FB_KYRO is not set
+# CONFIG_FB_3DFX is not set
+# CONFIG_FB_VOODOO1 is not set
+# CONFIG_FB_VT8623 is not set
+# CONFIG_FB_TRIDENT is not set
+# CONFIG_FB_ARK is not set
+# CONFIG_FB_PM3 is not set
+# CONFIG_FB_CARMINE is not set
+# CONFIG_FB_SMSCUFX is not set
+# CONFIG_FB_UDL is not set
+# CONFIG_FB_IBM_GXT4500 is not set
+# CONFIG_FB_VIRTUAL is not set
+# CONFIG_FB_METRONOME is not set
+# CONFIG_FB_MB862XX is not set
+# CONFIG_FB_BROADSHEET is not set
+# CONFIG_FB_AUO_K190X is not set
+CONFIG_FB_SIMPLE=y
+# CONFIG_FB_SSD1307 is not set
+# CONFIG_FB_SM712 is not set
+CONFIG_BACKLIGHT_LCD_SUPPORT=y
+CONFIG_LCD_CLASS_DEVICE=y
+# CONFIG_LCD_L4F00242T03 is not set
+# CONFIG_LCD_LMS283GF05 is not set
+# CONFIG_LCD_LTV350QV is not set
+# CONFIG_LCD_ILI922X is not set
+# CONFIG_LCD_ILI9320 is not set
+# CONFIG_LCD_TDO24M is not set
+# CONFIG_LCD_VGG2432A4 is not set
+# CONFIG_LCD_PLATFORM is not set
+# CONFIG_LCD_S6E63M0 is not set
+# CONFIG_LCD_LD9040 is not set
+# CONFIG_LCD_AMS369FG06 is not set
+# CONFIG_LCD_LMS501KF03 is not set
+# CONFIG_LCD_HX8357 is not set
+CONFIG_BACKLIGHT_CLASS_DEVICE=y
+CONFIG_BACKLIGHT_GENERIC=y
+# CONFIG_BACKLIGHT_APPLE is not set
+# CONFIG_BACKLIGHT_PM8941_WLED is not set
+# CONFIG_BACKLIGHT_SAHARA is not set
+# CONFIG_BACKLIGHT_ADP8860 is not set
+# CONFIG_BACKLIGHT_ADP8870 is not set
+# CONFIG_BACKLIGHT_LM3639 is not set
+# CONFIG_BACKLIGHT_GPIO is not set
+# CONFIG_BACKLIGHT_LV5207LP is not set
+# CONFIG_BACKLIGHT_BD6107 is not set
+# CONFIG_VGASTATE is not set
+CONFIG_HDMI=y
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+CONFIG_VGACON_SOFT_SCROLLBACK=y
+CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_FRAMEBUFFER_CONSOLE=y
+CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
+# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
+# CONFIG_LOGO is not set
+CONFIG_SOUND=y
+CONFIG_SOUND_OSS_CORE=y
+# CONFIG_SOUND_OSS_CORE_PRECLAIM is not set
+CONFIG_SND=y
+CONFIG_SND_TIMER=y
+CONFIG_SND_PCM=y
+CONFIG_SND_JACK=y
+CONFIG_SND_JACK_INPUT_DEV=y
+CONFIG_SND_SEQUENCER=y
+# CONFIG_SND_SEQ_DUMMY is not set
+CONFIG_SND_OSSEMUL=y
+# CONFIG_SND_MIXER_OSS is not set
+# CONFIG_SND_PCM_OSS is not set
+CONFIG_SND_PCM_TIMER=y
+CONFIG_SND_SEQUENCER_OSS=y
+# CONFIG_SND_HRTIMER is not set
+CONFIG_SND_DYNAMIC_MINORS=y
+CONFIG_SND_MAX_CARDS=32
+CONFIG_SND_SUPPORT_OLD_API=y
+CONFIG_SND_PROC_FS=y
+CONFIG_SND_VERBOSE_PROCFS=y
+# CONFIG_SND_VERBOSE_PRINTK is not set
+# CONFIG_SND_DEBUG is not set
+CONFIG_SND_VMASTER=y
+CONFIG_SND_DMA_SGBUF=y
+# CONFIG_SND_RAWMIDI_SEQ is not set
+# CONFIG_SND_OPL3_LIB_SEQ is not set
+# CONFIG_SND_OPL4_LIB_SEQ is not set
+# CONFIG_SND_SBAWE_SEQ is not set
+# CONFIG_SND_EMU10K1_SEQ is not set
+# CONFIG_SND_DRIVERS is not set
+CONFIG_SND_PCI=y
+# CONFIG_SND_AD1889 is not set
+# CONFIG_SND_ALS300 is not set
+# CONFIG_SND_ALS4000 is not set
+# CONFIG_SND_ALI5451 is not set
+# CONFIG_SND_ASIHPI is not set
+# CONFIG_SND_ATIIXP is not set
+# CONFIG_SND_ATIIXP_MODEM is not set
+# CONFIG_SND_AU8810 is not set
+# CONFIG_SND_AU8820 is not set
+# CONFIG_SND_AU8830 is not set
+# CONFIG_SND_AW2 is not set
+# CONFIG_SND_AZT3328 is not set
+# CONFIG_SND_BT87X is not set
+# CONFIG_SND_CA0106 is not set
+# CONFIG_SND_CMIPCI is not set
+# CONFIG_SND_OXYGEN is not set
+# CONFIG_SND_CS4281 is not set
+# CONFIG_SND_CS46XX is not set
+# CONFIG_SND_CTXFI is not set
+# CONFIG_SND_DARLA20 is not set
+# CONFIG_SND_GINA20 is not set
+# CONFIG_SND_LAYLA20 is not set
+# CONFIG_SND_DARLA24 is not set
+# CONFIG_SND_GINA24 is not set
+# CONFIG_SND_LAYLA24 is not set
+# CONFIG_SND_MONA is not set
+# CONFIG_SND_MIA is not set
+# CONFIG_SND_ECHO3G is not set
+# CONFIG_SND_INDIGO is not set
+# CONFIG_SND_INDIGOIO is not set
+# CONFIG_SND_INDIGODJ is not set
+# CONFIG_SND_INDIGOIOX is not set
+# CONFIG_SND_INDIGODJX is not set
+# CONFIG_SND_EMU10K1 is not set
+# CONFIG_SND_EMU10K1X is not set
+# CONFIG_SND_ENS1370 is not set
+# CONFIG_SND_ENS1371 is not set
+# CONFIG_SND_ES1938 is not set
+# CONFIG_SND_ES1968 is not set
+# CONFIG_SND_FM801 is not set
+# CONFIG_SND_HDSP is not set
+# CONFIG_SND_HDSPM is not set
+# CONFIG_SND_ICE1712 is not set
+# CONFIG_SND_ICE1724 is not set
+# CONFIG_SND_INTEL8X0 is not set
+# CONFIG_SND_INTEL8X0M is not set
+# CONFIG_SND_KORG1212 is not set
+# CONFIG_SND_LOLA is not set
+# CONFIG_SND_LX6464ES is not set
+# CONFIG_SND_MAESTRO3 is not set
+# CONFIG_SND_MIXART is not set
+# CONFIG_SND_NM256 is not set
+# CONFIG_SND_PCXHR is not set
+# CONFIG_SND_RIPTIDE is not set
+# CONFIG_SND_RME32 is not set
+# CONFIG_SND_RME96 is not set
+# CONFIG_SND_RME9652 is not set
+# CONFIG_SND_SE6X is not set
+# CONFIG_SND_SONICVIBES is not set
+# CONFIG_SND_TRIDENT is not set
+# CONFIG_SND_VIA82XX is not set
+# CONFIG_SND_VIA82XX_MODEM is not set
+# CONFIG_SND_VIRTUOSO is not set
+# CONFIG_SND_VX222 is not set
+# CONFIG_SND_YMFPCI is not set
+
+#
+# HD-Audio
+#
+CONFIG_SND_HDA=y
+CONFIG_SND_HDA_INTEL=y
+# CONFIG_SND_HDA_HWDEP is not set
+CONFIG_SND_HDA_RECONFIG=y
+CONFIG_SND_HDA_INPUT_BEEP=y
+CONFIG_SND_HDA_INPUT_BEEP_MODE=1
+# CONFIG_SND_HDA_PATCH_LOADER is not set
+CONFIG_SND_HDA_CODEC_REALTEK=y
+# CONFIG_SND_HDA_CODEC_ANALOG is not set
+# CONFIG_SND_HDA_CODEC_SIGMATEL is not set
+# CONFIG_SND_HDA_CODEC_VIA is not set
+CONFIG_SND_HDA_CODEC_HDMI=y
+# CONFIG_SND_HDA_CODEC_CIRRUS is not set
+# CONFIG_SND_HDA_CODEC_CONEXANT is not set
+# CONFIG_SND_HDA_CODEC_CA0110 is not set
+# CONFIG_SND_HDA_CODEC_CA0132 is not set
+# CONFIG_SND_HDA_CODEC_CMEDIA is not set
+# CONFIG_SND_HDA_CODEC_SI3054 is not set
+CONFIG_SND_HDA_GENERIC=y
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
+CONFIG_SND_HDA_CORE=y
+CONFIG_SND_HDA_I915=y
+CONFIG_SND_HDA_PREALLOC_SIZE=64
+CONFIG_SND_SPI=y
+# CONFIG_SND_USB is not set
+# CONFIG_SND_SOC is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+CONFIG_HID_BATTERY_STRENGTH=y
+CONFIG_HIDRAW=y
+CONFIG_UHID=y
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+# CONFIG_HID_A4TECH is not set
+# CONFIG_HID_ACRUX is not set
+# CONFIG_HID_APPLE is not set
+# CONFIG_HID_APPLEIR is not set
+# CONFIG_HID_AUREAL is not set
+# CONFIG_HID_BELKIN is not set
+# CONFIG_HID_BETOP_FF is not set
+# CONFIG_HID_CHERRY is not set
+# CONFIG_HID_CHICONY is not set
+# CONFIG_HID_CORSAIR is not set
+# CONFIG_HID_PRODIKEYS is not set
+# CONFIG_HID_CMEDIA is not set
+# CONFIG_HID_CP2112 is not set
+# CONFIG_HID_CYPRESS is not set
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+# CONFIG_HID_ELO is not set
+# CONFIG_HID_EZKEY is not set
+# CONFIG_HID_GEMBIRD is not set
+# CONFIG_HID_GFRM is not set
+# CONFIG_HID_HOLTEK is not set
+# CONFIG_HID_GT683R is not set
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+# CONFIG_HID_KENSINGTON is not set
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LED is not set
+# CONFIG_HID_LENOVO is not set
+# CONFIG_HID_LOGITECH is not set
+# CONFIG_HID_MAGICMOUSE is not set
+# CONFIG_HID_MICROSOFT is not set
+# CONFIG_HID_MONTEREY is not set
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_NTRIG is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PENMOUNT is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PLANTRONICS is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_ROCCAT is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SONY is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THINGM is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_WIIMOTE is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+# CONFIG_HID_ALPS is not set
+
+#
+# USB HID support
+#
+CONFIG_USB_HID=y
+CONFIG_HID_PID=y
+CONFIG_USB_HIDDEV=y
+
+#
+# I2C HID support
+#
+# CONFIG_I2C_HID is not set
+
+#
+# Intel ISH HID support
+#
+CONFIG_INTEL_ISH_HID=y
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_COMMON=y
+CONFIG_USB_ARCH_HAS_HCD=y
+CONFIG_USB=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+
+#
+# Miscellaneous USB options
+#
+CONFIG_USB_DEFAULT_PERSIST=y
+# CONFIG_USB_DYNAMIC_MINORS is not set
+CONFIG_USB_OTG=y
+# CONFIG_USB_OTG_WHITELIST is not set
+# CONFIG_USB_OTG_BLACKLIST_HUB is not set
+CONFIG_USB_OTG_FSM=y
+# CONFIG_USB_LEDS_TRIGGER_USBPORT is not set
+CONFIG_USB_MON=y
+# CONFIG_USB_WUSB_CBAF is not set
+
+#
+# USB Host Controller Drivers
+#
+# CONFIG_USB_C67X00_HCD is not set
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_XHCI_PCI=y
+CONFIG_USB_XHCI_PLATFORM=y
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_EHCI_ROOT_HUB_TT=y
+CONFIG_USB_EHCI_TT_NEWSCHED=y
+CONFIG_USB_EHCI_PCI=y
+CONFIG_USB_EHCI_HCD_PLATFORM=y
+# CONFIG_USB_OXU210HP_HCD is not set
+# CONFIG_USB_ISP116X_HCD is not set
+# CONFIG_USB_ISP1362_HCD is not set
+# CONFIG_USB_FOTG210_HCD is not set
+# CONFIG_USB_MAX3421_HCD is not set
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_OHCI_HCD_PCI=y
+# CONFIG_USB_OHCI_HCD_SSB is not set
+# CONFIG_USB_OHCI_HCD_PLATFORM is not set
+CONFIG_USB_UHCI_HCD=y
+# CONFIG_USB_SL811_HCD is not set
+# CONFIG_USB_R8A66597_HCD is not set
+# CONFIG_USB_HCD_SSB is not set
+# CONFIG_USB_HCD_TEST_MODE is not set
+
+#
+# USB Device Class drivers
+#
+CONFIG_USB_ACM=y
+CONFIG_USB_PRINTER=y
+# CONFIG_USB_WDM is not set
+# CONFIG_USB_TMC is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+
+#
+# also be needed; see USB_STORAGE Help for more info
+#
+CONFIG_USB_STORAGE=y
+# CONFIG_USB_STORAGE_DEBUG is not set
+# CONFIG_USB_STORAGE_REALTEK is not set
+# CONFIG_USB_STORAGE_DATAFAB is not set
+# CONFIG_USB_STORAGE_FREECOM is not set
+# CONFIG_USB_STORAGE_ISD200 is not set
+# CONFIG_USB_STORAGE_USBAT is not set
+# CONFIG_USB_STORAGE_SDDR09 is not set
+# CONFIG_USB_STORAGE_SDDR55 is not set
+# CONFIG_USB_STORAGE_JUMPSHOT is not set
+# CONFIG_USB_STORAGE_ALAUDA is not set
+# CONFIG_USB_STORAGE_ONETOUCH is not set
+# CONFIG_USB_STORAGE_KARMA is not set
+# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
+# CONFIG_USB_STORAGE_ENE_UB6250 is not set
+CONFIG_USB_UAS=y
+
+#
+# USB Imaging devices
+#
+# CONFIG_USB_MDC800 is not set
+# CONFIG_USB_MICROTEK is not set
+# CONFIG_USBIP_CORE is not set
+# CONFIG_USB_MUSB_HDRC is not set
+CONFIG_USB_DWC3=y
+CONFIG_USB_DWC3_HOST=y
+
+#
+# Platform Glue Driver Support
+#
+CONFIG_USB_DWC3_PCI=y
+CONFIG_USB_DWC3_OF_SIMPLE=y
+CONFIG_USB_DWC2=y
+CONFIG_USB_DWC2_HOST=y
+
+#
+# Gadget/Dual-role mode requires USB Gadget support to be enabled
+#
+# CONFIG_USB_DWC2_PCI is not set
+# CONFIG_USB_DWC2_DEBUG is not set
+# CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set
+# CONFIG_USB_CHIPIDEA is not set
+# CONFIG_USB_ISP1760 is not set
+
+#
+# USB port drivers
+#
+CONFIG_USB_SERIAL=y
+CONFIG_USB_SERIAL_CONSOLE=y
+CONFIG_USB_SERIAL_GENERIC=y
+CONFIG_USB_SERIAL_SIMPLE=y
+# CONFIG_USB_SERIAL_AIRCABLE is not set
+# CONFIG_USB_SERIAL_ARK3116 is not set
+# CONFIG_USB_SERIAL_BELKIN is not set
+# CONFIG_USB_SERIAL_CH341 is not set
+# CONFIG_USB_SERIAL_WHITEHEAT is not set
+# CONFIG_USB_SERIAL_DIGI_ACCELEPORT is not set
+# CONFIG_USB_SERIAL_CP210X is not set
+# CONFIG_USB_SERIAL_CYPRESS_M8 is not set
+# CONFIG_USB_SERIAL_EMPEG is not set
+CONFIG_USB_SERIAL_FTDI_SIO=y
+# CONFIG_USB_SERIAL_VISOR is not set
+# CONFIG_USB_SERIAL_IPAQ is not set
+# CONFIG_USB_SERIAL_IR is not set
+# CONFIG_USB_SERIAL_EDGEPORT is not set
+# CONFIG_USB_SERIAL_EDGEPORT_TI is not set
+# CONFIG_USB_SERIAL_F81232 is not set
+# CONFIG_USB_SERIAL_GARMIN is not set
+# CONFIG_USB_SERIAL_IPW is not set
+# CONFIG_USB_SERIAL_IUU is not set
+# CONFIG_USB_SERIAL_KEYSPAN_PDA is not set
+# CONFIG_USB_SERIAL_KEYSPAN is not set
+# CONFIG_USB_SERIAL_KLSI is not set
+# CONFIG_USB_SERIAL_KOBIL_SCT is not set
+# CONFIG_USB_SERIAL_MCT_U232 is not set
+# CONFIG_USB_SERIAL_METRO is not set
+# CONFIG_USB_SERIAL_MOS7720 is not set
+# CONFIG_USB_SERIAL_MOS7840 is not set
+# CONFIG_USB_SERIAL_MXUPORT is not set
+# CONFIG_USB_SERIAL_NAVMAN is not set
+# CONFIG_USB_SERIAL_PL2303 is not set
+# CONFIG_USB_SERIAL_OTI6858 is not set
+# CONFIG_USB_SERIAL_QCAUX is not set
+# CONFIG_USB_SERIAL_QUALCOMM is not set
+# CONFIG_USB_SERIAL_SPCP8X5 is not set
+# CONFIG_USB_SERIAL_SAFE is not set
+# CONFIG_USB_SERIAL_SIERRAWIRELESS is not set
+# CONFIG_USB_SERIAL_SYMBOL is not set
+# CONFIG_USB_SERIAL_TI is not set
+# CONFIG_USB_SERIAL_CYBERJACK is not set
+# CONFIG_USB_SERIAL_XIRCOM is not set
+# CONFIG_USB_SERIAL_OPTION is not set
+# CONFIG_USB_SERIAL_OMNINET is not set
+# CONFIG_USB_SERIAL_OPTICON is not set
+# CONFIG_USB_SERIAL_XSENS_MT is not set
+# CONFIG_USB_SERIAL_WISHBONE is not set
+# CONFIG_USB_SERIAL_SSU100 is not set
+# CONFIG_USB_SERIAL_QT2 is not set
+# CONFIG_USB_SERIAL_DEBUG is not set
+
+#
+# USB Miscellaneous drivers
+#
+# CONFIG_USB_EMI62 is not set
+# CONFIG_USB_EMI26 is not set
+# CONFIG_USB_ADUTUX is not set
+# CONFIG_USB_SEVSEG is not set
+# CONFIG_USB_RIO500 is not set
+# CONFIG_USB_LEGOTOWER is not set
+# CONFIG_USB_LCD is not set
+# CONFIG_USB_CYPRESS_CY7C63 is not set
+# CONFIG_USB_CYTHERM is not set
+# CONFIG_USB_IDMOUSE is not set
+# CONFIG_USB_FTDI_ELAN is not set
+# CONFIG_USB_APPLEDISPLAY is not set
+# CONFIG_USB_SISUSBVGA is not set
+# CONFIG_USB_LD is not set
+# CONFIG_USB_TRANCEVIBRATOR is not set
+# CONFIG_USB_IOWARRIOR is not set
+# CONFIG_USB_TEST is not set
+# CONFIG_USB_EHSET_TEST_FIXTURE is not set
+# CONFIG_USB_ISIGHTFW is not set
+# CONFIG_USB_YUREX is not set
+# CONFIG_USB_EZUSB_FX2 is not set
+# CONFIG_USB_HSIC_USB3503 is not set
+# CONFIG_USB_HSIC_USB4604 is not set
+# CONFIG_USB_LINK_LAYER_TEST is not set
+# CONFIG_UCSI is not set
+
+#
+# USB Physical Layer drivers
+#
+CONFIG_USB_PHY=y
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GPIO_VBUS is not set
+# CONFIG_USB_ISP1301 is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_USB_LED_TRIG is not set
+# CONFIG_USB_ULPI_BUS is not set
+# CONFIG_UWB is not set
+CONFIG_MMC=y
+# CONFIG_MMC_DEBUG is not set
+CONFIG_PWRSEQ_EMMC=y
+CONFIG_PWRSEQ_SIMPLE=y
+
+#
+# MMC/SD/SDIO Card Drivers
+#
+CONFIG_MMC_BLOCK=y
+CONFIG_MMC_BLOCK_MINORS=8
+CONFIG_MMC_BLOCK_BOUNCE=y
+# CONFIG_SDIO_UART is not set
+# CONFIG_MMC_TEST is not set
+
+#
+# MMC/SD/SDIO Host Controller Drivers
+#
+CONFIG_MMC_SDHCI=y
+CONFIG_MMC_SDHCI_PCI=y
+CONFIG_MMC_RICOH_MMC=y
+CONFIG_MMC_SDHCI_ACPI=y
+CONFIG_MMC_SDHCI_PLTFM=y
+# CONFIG_MMC_SDHCI_OF_ARASAN is not set
+# CONFIG_MMC_SDHCI_OF_AT91 is not set
+# CONFIG_MMC_SDHCI_F_SDH30 is not set
+# CONFIG_MMC_WBSD is not set
+# CONFIG_MMC_TIFM_SD is not set
+CONFIG_MMC_SPI=y
+# CONFIG_MMC_CB710 is not set
+# CONFIG_MMC_VIA_SDMMC is not set
+# CONFIG_MMC_VUB300 is not set
+# CONFIG_MMC_USHC is not set
+# CONFIG_MMC_USDHI6ROL0 is not set
+# CONFIG_MMC_TOSHIBA_PCI is not set
+# CONFIG_MMC_MTK is not set
+# CONFIG_MEMSTICK is not set
+CONFIG_NEW_LEDS=y
+CONFIG_LEDS_CLASS=y
+# CONFIG_LEDS_CLASS_FLASH is not set
+
+#
+# LED drivers
+#
+# CONFIG_LEDS_BCM6328 is not set
+# CONFIG_LEDS_BCM6358 is not set
+# CONFIG_LEDS_LM3530 is not set
+# CONFIG_LEDS_LM3642 is not set
+# CONFIG_LEDS_PCA9532 is not set
+# CONFIG_LEDS_GPIO is not set
+# CONFIG_LEDS_LP3944 is not set
+# CONFIG_LEDS_LP3952 is not set
+# CONFIG_LEDS_LP5521 is not set
+# CONFIG_LEDS_LP5523 is not set
+# CONFIG_LEDS_LP5562 is not set
+# CONFIG_LEDS_LP8501 is not set
+# CONFIG_LEDS_LP8860 is not set
+# CONFIG_LEDS_CLEVO_MAIL is not set
+# CONFIG_LEDS_PCA955X is not set
+# CONFIG_LEDS_PCA963X is not set
+# CONFIG_LEDS_DAC124S085 is not set
+# CONFIG_LEDS_BD2802 is not set
+# CONFIG_LEDS_INTEL_SS4200 is not set
+# CONFIG_LEDS_LT3593 is not set
+# CONFIG_LEDS_TCA6507 is not set
+# CONFIG_LEDS_TLC591XX is not set
+# CONFIG_LEDS_LM355x is not set
+# CONFIG_LEDS_IS31FL319X is not set
+# CONFIG_LEDS_IS31FL32XX is not set
+
+#
+# LED driver for blink(1) USB RGB LED is under Special HID drivers (HID_THINGM)
+#
+# CONFIG_LEDS_BLINKM is not set
+# CONFIG_LEDS_MLXCPLD is not set
+
+#
+# LED Triggers
+#
+CONFIG_LEDS_TRIGGERS=y
+# CONFIG_LEDS_TRIGGER_TIMER is not set
+# CONFIG_LEDS_TRIGGER_ONESHOT is not set
+# CONFIG_LEDS_TRIGGER_DISK is not set
+# CONFIG_LEDS_TRIGGER_HEARTBEAT is not set
+# CONFIG_LEDS_TRIGGER_BACKLIGHT is not set
+# CONFIG_LEDS_TRIGGER_CPU is not set
+# CONFIG_LEDS_TRIGGER_GPIO is not set
+# CONFIG_LEDS_TRIGGER_DEFAULT_ON is not set
+
+#
+# iptables trigger is under Netfilter config (LED target)
+#
+# CONFIG_LEDS_TRIGGER_TRANSIENT is not set
+# CONFIG_LEDS_TRIGGER_CAMERA is not set
+# CONFIG_LEDS_TRIGGER_PANIC is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
+CONFIG_RTC_CLASS=y
+CONFIG_RTC_HCTOSYS=y
+CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
+CONFIG_RTC_SYSTOHC=y
+CONFIG_RTC_SYSTOHC_DEVICE="rtc0"
+# CONFIG_RTC_DEBUG is not set
+
+#
+# RTC interfaces
+#
+CONFIG_RTC_INTF_SYSFS=y
+CONFIG_RTC_INTF_PROC=y
+CONFIG_RTC_INTF_DEV=y
+# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set
+# CONFIG_RTC_DRV_TEST is not set
+
+#
+# I2C RTC drivers
+#
+# CONFIG_RTC_DRV_ABB5ZES3 is not set
+# CONFIG_RTC_DRV_ABX80X is not set
+# CONFIG_RTC_DRV_DS1307 is not set
+# CONFIG_RTC_DRV_DS1374 is not set
+# CONFIG_RTC_DRV_DS1672 is not set
+# CONFIG_RTC_DRV_HYM8563 is not set
+# CONFIG_RTC_DRV_MAX6900 is not set
+# CONFIG_RTC_DRV_RS5C372 is not set
+# CONFIG_RTC_DRV_ISL1208 is not set
+# CONFIG_RTC_DRV_ISL12022 is not set
+# CONFIG_RTC_DRV_X1205 is not set
+# CONFIG_RTC_DRV_PCF8523 is not set
+# CONFIG_RTC_DRV_PCF85063 is not set
+# CONFIG_RTC_DRV_PCF8563 is not set
+# CONFIG_RTC_DRV_PCF8583 is not set
+# CONFIG_RTC_DRV_M41T80 is not set
+# CONFIG_RTC_DRV_BQ32K is not set
+# CONFIG_RTC_DRV_S35390A is not set
+# CONFIG_RTC_DRV_FM3130 is not set
+# CONFIG_RTC_DRV_RX8010 is not set
+# CONFIG_RTC_DRV_RX8581 is not set
+# CONFIG_RTC_DRV_RX8025 is not set
+# CONFIG_RTC_DRV_EM3027 is not set
+# CONFIG_RTC_DRV_RV8803 is not set
+
+#
+# SPI RTC drivers
+#
+# CONFIG_RTC_DRV_M41T93 is not set
+# CONFIG_RTC_DRV_M41T94 is not set
+# CONFIG_RTC_DRV_DS1302 is not set
+# CONFIG_RTC_DRV_DS1305 is not set
+# CONFIG_RTC_DRV_DS1343 is not set
+# CONFIG_RTC_DRV_DS1347 is not set
+# CONFIG_RTC_DRV_DS1390 is not set
+# CONFIG_RTC_DRV_MAX6916 is not set
+# CONFIG_RTC_DRV_R9701 is not set
+# CONFIG_RTC_DRV_RX4581 is not set
+# CONFIG_RTC_DRV_RX6110 is not set
+# CONFIG_RTC_DRV_RS5C348 is not set
+# CONFIG_RTC_DRV_MAX6902 is not set
+# CONFIG_RTC_DRV_PCF2123 is not set
+# CONFIG_RTC_DRV_MCP795 is not set
+CONFIG_RTC_I2C_AND_SPI=y
+
+#
+# SPI and I2C RTC drivers
+#
+# CONFIG_RTC_DRV_DS3232 is not set
+# CONFIG_RTC_DRV_PCF2127 is not set
+# CONFIG_RTC_DRV_RV3029C2 is not set
+
+#
+# Platform RTC drivers
+#
+CONFIG_RTC_DRV_CMOS=y
+# CONFIG_RTC_DRV_DS1286 is not set
+# CONFIG_RTC_DRV_DS1511 is not set
+# CONFIG_RTC_DRV_DS1553 is not set
+# CONFIG_RTC_DRV_DS1685_FAMILY is not set
+# CONFIG_RTC_DRV_DS1742 is not set
+# CONFIG_RTC_DRV_DS2404 is not set
+# CONFIG_RTC_DRV_STK17TA8 is not set
+# CONFIG_RTC_DRV_M48T86 is not set
+# CONFIG_RTC_DRV_M48T35 is not set
+# CONFIG_RTC_DRV_M48T59 is not set
+# CONFIG_RTC_DRV_MSM6242 is not set
+# CONFIG_RTC_DRV_BQ4802 is not set
+# CONFIG_RTC_DRV_RP5C01 is not set
+# CONFIG_RTC_DRV_V3020 is not set
+# CONFIG_RTC_DRV_ZYNQMP is not set
+
+#
+# on-CPU RTC drivers
+#
+# CONFIG_RTC_DRV_SNVS is not set
+
+#
+# HID Sensor RTC drivers
+#
+# CONFIG_RTC_DRV_HID_SENSOR_TIME is not set
+CONFIG_DMADEVICES=y
+# CONFIG_DMADEVICES_DEBUG is not set
+
+#
+# DMA Devices
+#
+CONFIG_DMA_ENGINE=y
+CONFIG_DMA_VIRTUAL_CHANNELS=y
+CONFIG_DMA_ACPI=y
+CONFIG_DMA_OF=y
+# CONFIG_FSL_EDMA is not set
+CONFIG_INTEL_IDMA64=y
+CONFIG_INTEL_IOATDMA=y
+CONFIG_INTEL_MIC_X100_DMA=y
+# CONFIG_QCOM_HIDMA_MGMT is not set
+# CONFIG_QCOM_HIDMA is not set
+CONFIG_DW_DMAC_CORE=y
+# CONFIG_DW_DMAC is not set
+CONFIG_DW_DMAC_PCI=y
+CONFIG_HSU_DMA=y
+
+#
+# DMA Clients
+#
+# CONFIG_ASYNC_TX_DMA is not set
+# CONFIG_DMATEST is not set
+CONFIG_DMA_ENGINE_RAID=y
+
+#
+# DMABUF options
+#
+# CONFIG_SYNC_FILE is not set
+CONFIG_DCA=y
+# CONFIG_AUXDISPLAY is not set
+CONFIG_UIO=y
+# CONFIG_UIO_CIF is not set
+# CONFIG_UIO_PDRV_GENIRQ is not set
+# CONFIG_UIO_DMEM_GENIRQ is not set
+# CONFIG_UIO_AEC is not set
+# CONFIG_UIO_SERCOS3 is not set
+# CONFIG_UIO_PCI_GENERIC is not set
+# CONFIG_UIO_NETX is not set
+# CONFIG_UIO_PRUSS is not set
+# CONFIG_UIO_MF624 is not set
+# CONFIG_VFIO is not set
+CONFIG_IRQ_BYPASS_MANAGER=y
+CONFIG_VIRT_DRIVERS=y
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_INPUT=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACER_WMI is not set
+# CONFIG_ACERHDF is not set
+# CONFIG_ALIENWARE_WMI is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_DELL_WMI_AIO is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_DELL_RBTN is not set
+# CONFIG_FUJITSU_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_AMILO_RFKILL is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_HP_WMI is not set
+# CONFIG_MSI_LAPTOP is not set
+# CONFIG_PANASONIC_LAPTOP is not set
+# CONFIG_COMPAL_LAPTOP is not set
+# CONFIG_SONY_LAPTOP is not set
+# CONFIG_IDEAPAD_LAPTOP is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ASUS_WIRELESS is not set
+CONFIG_ACPI_WMI=y
+# CONFIG_MSI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+CONFIG_TOSHIBA_BT_RFKILL=y
+CONFIG_TOSHIBA_HAPS=y
+CONFIG_TOSHIBA_WMI=y
+# CONFIG_ACPI_CMPC is not set
+CONFIG_INTEL_HID_EVENT=y
+CONFIG_INTEL_VBTN=y
+# CONFIG_INTEL_IPS is not set
+# CONFIG_INTEL_PMC_CORE is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_LAPTOP is not set
+# CONFIG_MXM_WMI is not set
+# CONFIG_INTEL_OAKTRAIL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_APPLE_GMUX is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+CONFIG_INTEL_PMC_IPC=y
+# CONFIG_SURFACE_PRO3_BUTTON is not set
+CONFIG_INTEL_PUNIT_IPC=y
+# CONFIG_INTEL_TELEMETRY is not set
+# CONFIG_CHROME_PLATFORMS is not set
+CONFIG_CLKDEV_LOOKUP=y
+CONFIG_HAVE_CLK_PREPARE=y
+CONFIG_COMMON_CLK=y
+
+#
+# Common Clock Framework
+#
+# CONFIG_COMMON_CLK_SI5351 is not set
+# CONFIG_COMMON_CLK_SI514 is not set
+# CONFIG_COMMON_CLK_SI570 is not set
+# CONFIG_COMMON_CLK_CDCE706 is not set
+# CONFIG_COMMON_CLK_CDCE925 is not set
+# CONFIG_COMMON_CLK_CS2000_CP is not set
+# CONFIG_COMMON_CLK_NXP is not set
+# CONFIG_COMMON_CLK_PXA is not set
+# CONFIG_COMMON_CLK_PIC32 is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_API=y
+CONFIG_IOMMU_SUPPORT=y
+
+#
+# Generic IOMMU Pagetable Support
+#
+CONFIG_IOMMU_IOVA=y
+CONFIG_OF_IOMMU=y
+# CONFIG_AMD_IOMMU is not set
+CONFIG_DMAR_TABLE=y
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_SVM=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+CONFIG_INTEL_IOMMU_FLOPPY_WA=y
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+
+#
+# Broadcom SoC drivers
+#
+# CONFIG_SUNXI_SRAM is not set
+# CONFIG_SOC_TI is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+CONFIG_IRQCHIP=y
+CONFIG_ARM_GIC_MAX_NR=1
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+CONFIG_GENERIC_PHY=y
+# CONFIG_PHY_PXA_28NM_HSIC is not set
+# CONFIG_PHY_PXA_28NM_USB2 is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_PHY_SAMSUNG_USB2 is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+
+#
+# Performance monitor support
+#
+CONFIG_RAS=y
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+# CONFIG_LIBNVDIMM is not set
+# CONFIG_NVMEM is not set
+# CONFIG_STM is not set
+# CONFIG_INTEL_TH is not set
+
+#
+# FPGA Configuration Support
+#
+# CONFIG_FPGA is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+CONFIG_FW_CFG_SYSFS=y
+# CONFIG_FW_CFG_SYSFS_CMDLINE is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# EFI (Extensible Firmware Interface) Support
+#
+CONFIG_EFI_VARS=y
+CONFIG_EFI_ESRT=y
+CONFIG_EFI_VARS_PSTORE=y
+# CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
+# CONFIG_EFI_FAKE_MEMMAP is not set
+CONFIG_EFI_RUNTIME_WRAPPERS=y
+CONFIG_EFI_BOOTLOADER_CONTROL=y
+CONFIG_EFI_CAPSULE_LOADER=y
+# CONFIG_EFI_TEST is not set
+CONFIG_UEFI_CPER=y
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+# CONFIG_EXT2_FS is not set
+# CONFIG_EXT3_FS is not set
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_USE_FOR_EXT2=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_EXT4_ENCRYPTION=y
+CONFIG_EXT4_FS_ENCRYPTION=y
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD2=y
+# CONFIG_JBD2_DEBUG is not set
+CONFIG_FS_MBCACHE=y
+# CONFIG_REISERFS_FS is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_OCFS2_FS is not set
+CONFIG_BTRFS_FS=y
+CONFIG_BTRFS_FS_POSIX_ACL=y
+# CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set
+# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
+# CONFIG_BTRFS_DEBUG is not set
+# CONFIG_BTRFS_ASSERT is not set
+CONFIG_NILFS2_FS=y
+CONFIG_F2FS_FS=y
+CONFIG_F2FS_FS_XATTR=y
+CONFIG_F2FS_FS_POSIX_ACL=y
+CONFIG_F2FS_FS_SECURITY=y
+CONFIG_F2FS_CHECK_FS=y
+CONFIG_F2FS_FS_ENCRYPTION=y
+# CONFIG_F2FS_FAULT_INJECTION is not set
+# CONFIG_FS_DAX is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+# CONFIG_EXPORTFS_BLOCK_OPS is not set
+CONFIG_FILE_LOCKING=y
+CONFIG_MANDATORY_FILE_LOCKING=y
+CONFIG_FS_ENCRYPTION=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+CONFIG_FANOTIFY=y
+# CONFIG_QUOTA is not set
+# CONFIG_QUOTACTL is not set
+# CONFIG_AUTOFS4_FS is not set
+CONFIG_FUSE_FS=y
+# CONFIG_CUSE is not set
+CONFIG_OVERLAY_FS=y
+
+#
+# Caches
+#
+CONFIG_FSCACHE=y
+# CONFIG_FSCACHE_STATS is not set
+# CONFIG_FSCACHE_HISTOGRAM is not set
+# CONFIG_FSCACHE_DEBUG is not set
+# CONFIG_FSCACHE_OBJECT_LIST is not set
+# CONFIG_CACHEFILES is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+CONFIG_ZISOFS=y
+CONFIG_UDF_FS=y
+CONFIG_UDF_NLS=y
+
+#
+# DOS/FAT/NT Filesystems
+#
+CONFIG_FAT_FS=y
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_FAT_DEFAULT_CODEPAGE=437
+CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
+# CONFIG_FAT_DEFAULT_UTF8 is not set
+CONFIG_NTFS_FS=m
+# CONFIG_NTFS_DEBUG is not set
+# CONFIG_NTFS_RW is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_SYSCTL=y
+# CONFIG_PROC_CHILDREN is not set
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+CONFIG_ARCH_HAS_GIGANTIC_PAGE=y
+CONFIG_CONFIGFS_FS=y
+CONFIG_EFIVAR_FS=y
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ORANGEFS_FS is not set
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+CONFIG_ECRYPT_FS=y
+# CONFIG_ECRYPT_FS_MESSAGING is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+CONFIG_SQUASHFS=y
+CONFIG_SQUASHFS_FILE_CACHE=y
+# CONFIG_SQUASHFS_FILE_DIRECT is not set
+CONFIG_SQUASHFS_DECOMP_SINGLE=y
+# CONFIG_SQUASHFS_DECOMP_MULTI is not set
+# CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set
+CONFIG_SQUASHFS_XATTR=y
+CONFIG_SQUASHFS_ZLIB=y
+CONFIG_SQUASHFS_LZ4=y
+CONFIG_SQUASHFS_LZO=y
+CONFIG_SQUASHFS_XZ=y
+# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
+CONFIG_SQUASHFS_EMBEDDED=y
+CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+CONFIG_PSTORE=y
+CONFIG_PSTORE_ZLIB_COMPRESS=y
+# CONFIG_PSTORE_LZO_COMPRESS is not set
+# CONFIG_PSTORE_LZ4_COMPRESS is not set
+# CONFIG_PSTORE_CONSOLE is not set
+# CONFIG_PSTORE_PMSG is not set
+# CONFIG_PSTORE_RAM is not set
+# CONFIG_SYSV_FS is not set
+CONFIG_UFS_FS=y
+# CONFIG_UFS_FS_WRITE is not set
+# CONFIG_UFS_DEBUG is not set
+# CONFIG_NETWORK_FILESYSTEMS is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="utf-8"
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_CODEPAGE_737=y
+CONFIG_NLS_CODEPAGE_775=y
+CONFIG_NLS_CODEPAGE_850=y
+CONFIG_NLS_CODEPAGE_852=y
+CONFIG_NLS_CODEPAGE_855=y
+CONFIG_NLS_CODEPAGE_857=y
+CONFIG_NLS_CODEPAGE_860=y
+CONFIG_NLS_CODEPAGE_861=y
+CONFIG_NLS_CODEPAGE_862=y
+CONFIG_NLS_CODEPAGE_863=y
+CONFIG_NLS_CODEPAGE_864=y
+CONFIG_NLS_CODEPAGE_865=y
+CONFIG_NLS_CODEPAGE_866=y
+CONFIG_NLS_CODEPAGE_869=y
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_ISO8859_2=y
+CONFIG_NLS_ISO8859_3=y
+CONFIG_NLS_ISO8859_4=y
+CONFIG_NLS_ISO8859_5=y
+CONFIG_NLS_ISO8859_6=y
+CONFIG_NLS_ISO8859_7=y
+CONFIG_NLS_ISO8859_9=y
+CONFIG_NLS_ISO8859_13=y
+CONFIG_NLS_ISO8859_14=y
+CONFIG_NLS_ISO8859_15=y
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+CONFIG_NLS_UTF8=y
+# CONFIG_DLM is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+# CONFIG_DEBUG_INFO is not set
+# CONFIG_ENABLE_WARN_DEPRECATED is not set
+# CONFIG_ENABLE_MUST_CHECK is not set
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_STACK_VALIDATION is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_PAGE_POISONING is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_SLUB_DEBUG_ON is not set
+# CONFIG_SLUB_STATS is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_MEMORY_INIT is not set
+# CONFIG_DEBUG_PER_CPU_MAPS is not set
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_KMEMCHECK is not set
+CONFIG_HAVE_ARCH_KASAN=y
+# CONFIG_KASAN is not set
+CONFIG_ARCH_HAS_KCOV=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_DETECT_HUNG_TASK is not set
+# CONFIG_WQ_WATCHDOG is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+CONFIG_SCHED_DEBUG=y
+CONFIG_SCHED_INFO=y
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_DEBUG_TIMEKEEPING is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_LIST=y
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_PROVE_RCU is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_PERF_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+CONFIG_RCU_CPU_STALL_TIMEOUT=21
+# CONFIG_RCU_TRACE is not set
+# CONFIG_RCU_EQS_DEBUG is not set
+# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_FAULT_INJECTION is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_KPROBES_SANITY_TEST is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_INTERVAL_TREE_TEST is not set
+# CONFIG_PERCPU_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_ASYNC_RAID6_TEST is not set
+# CONFIG_TEST_HEXDUMP is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_PRINTF is not set
+# CONFIG_TEST_BITMAP is not set
+# CONFIG_TEST_UUID is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_TEST_HASH is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_LKM is not set
+# CONFIG_TEST_USER_COPY is not set
+# CONFIG_TEST_BPF is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_MEMTEST is not set
+# CONFIG_TEST_STATIC_KEYS is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
+# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set
+# CONFIG_UBSAN is not set
+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
+CONFIG_STRICT_DEVMEM=y
+# CONFIG_IO_STRICT_DEVMEM is not set
+# CONFIG_X86_VERBOSE_BOOTUP is not set
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_EARLY_PRINTK_EFI is not set
+# CONFIG_X86_PTDUMP_CORE is not set
+# CONFIG_EFI_PGT_DUMP is not set
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_NX_TEST is not set
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+# CONFIG_X86_DECODER_SELFTEST is not set
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_ENTRY is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+CONFIG_X86_DEBUG_FPU=y
+
+#
+# Security options
+#
+
+#
+# Grsecurity
+#
+CONFIG_PAX_PER_CPU_PGD=y
+CONFIG_TASK_SIZE_MAX_SHIFT=42
+CONFIG_GRKERNSEC=y
+CONFIG_GRKERNSEC_CONFIG_AUTO=y
+# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
+CONFIG_GRKERNSEC_CONFIG_SERVER=y
+# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
+CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
+CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
+# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
+CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
+# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set
+# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set
+CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
+
+#
+# Default Special Groups
+#
+CONFIG_GRKERNSEC_PROC_GID=1001
+CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=1005
+CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006
+
+#
+# Customize Configuration
+#
+
+#
+# PaX
+#
+CONFIG_PAX=y
+
+#
+# PaX Control
+#
+# CONFIG_PAX_SOFTMODE is not set
+CONFIG_PAX_EI_PAX=y
+CONFIG_PAX_PT_PAX_FLAGS=y
+CONFIG_PAX_XATTR_PAX_FLAGS=y
+# CONFIG_PAX_NO_ACL_FLAGS is not set
+CONFIG_PAX_HAVE_ACL_FLAGS=y
+# CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+#
+# Non-executable pages
+#
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
+CONFIG_PAX_EMUTRAMP=y
+CONFIG_PAX_MPROTECT=y
+# CONFIG_PAX_MPROTECT_COMPAT is not set
+# CONFIG_PAX_ELFRELOCS is not set
+CONFIG_PAX_KERNEXEC=y
+CONFIG_PAX_KERNEXEC_PLUGIN=y
+# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
+CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
+# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set
+
+#
+# Address Space Layout Randomization
+#
+CONFIG_PAX_ASLR=y
+CONFIG_PAX_RANDKSTACK=y
+CONFIG_PAX_RANDUSTACK=y
+CONFIG_PAX_RANDMMAP=y
+
+#
+# Miscellaneous hardening features
+#
+CONFIG_PAX_MEMORY_SANITIZE=y
+CONFIG_PAX_MEMORY_STACKLEAK=y
+CONFIG_PAX_MEMORY_STRUCTLEAK=y
+CONFIG_PAX_MEMORY_UDEREF=y
+CONFIG_PAX_REFCOUNT=y
+CONFIG_PAX_USERCOPY=y
+CONFIG_PAX_CONSTIFY_PLUGIN=y
+# CONFIG_PAX_USERCOPY_DEBUG is not set
+CONFIG_PAX_SIZE_OVERFLOW=y
+CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y
+# CONFIG_PAX_INITIFY is not set
+CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y
+CONFIG_PAX_LATENT_ENTROPY=y
+CONFIG_PAX_RAP=y
+
+#
+# Memory Protections
+#
+CONFIG_GRKERNSEC_KMEM=y
+CONFIG_GRKERNSEC_IO=y
+CONFIG_GRKERNSEC_BPF_HARDEN=y
+CONFIG_GRKERNSEC_PERF_HARDEN=y
+CONFIG_GRKERNSEC_RAND_THREADSTACK=y
+CONFIG_GRKERNSEC_PROC_MEMMAP=y
+CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
+CONFIG_GRKERNSEC_BRUTE=y
+CONFIG_GRKERNSEC_MODHARDEN=y
+CONFIG_GRKERNSEC_HIDESYM=y
+CONFIG_GRKERNSEC_RANDSTRUCT=y
+# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set
+CONFIG_GRKERNSEC_KERN_LOCKOUT=y
+
+#
+# Role Based Access Control Options
+#
+# CONFIG_GRKERNSEC_NO_RBAC is not set
+# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
+CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+#
+# Filesystem Protections
+#
+CONFIG_GRKERNSEC_PROC=y
+# CONFIG_GRKERNSEC_PROC_USER is not set
+CONFIG_GRKERNSEC_PROC_USERGROUP=y
+CONFIG_GRKERNSEC_PROC_ADD=y
+CONFIG_GRKERNSEC_LINK=y
+CONFIG_GRKERNSEC_SYMLINKOWN=y
+CONFIG_GRKERNSEC_FIFO=y
+CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
+# CONFIG_GRKERNSEC_ROFS is not set
+CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
+CONFIG_GRKERNSEC_CHROOT=y
+CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+CONFIG_GRKERNSEC_CHROOT_UNIX=y
+CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+CONFIG_GRKERNSEC_CHROOT_NICE=y
+CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+CONFIG_GRKERNSEC_CHROOT_RENAME=y
+CONFIG_GRKERNSEC_CHROOT_CAPS=y
+CONFIG_GRKERNSEC_CHROOT_INITRD=y
+
+#
+# Kernel Auditing
+#
+# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
+# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_RESLOG=y
+# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
+# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
+# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
+# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+CONFIG_GRKERNSEC_SIGNAL=y
+# CONFIG_GRKERNSEC_FORKFAIL is not set
+CONFIG_GRKERNSEC_TIME=y
+CONFIG_GRKERNSEC_PROC_IPADDR=y
+CONFIG_GRKERNSEC_RWXMAP_LOG=y
+
+#
+# Executable Protections
+#
+CONFIG_GRKERNSEC_DMESG=y
+CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+CONFIG_GRKERNSEC_PTRACE_READEXEC=y
+CONFIG_GRKERNSEC_SETXID=y
+CONFIG_GRKERNSEC_HARDEN_IPC=y
+CONFIG_GRKERNSEC_HARDEN_TTY=y
+CONFIG_GRKERNSEC_TPE=y
+# CONFIG_GRKERNSEC_TPE_ALL is not set
+# CONFIG_GRKERNSEC_TPE_INVERT is not set
+CONFIG_GRKERNSEC_TPE_GID=1005
+
+#
+# Network Protections
+#
+CONFIG_GRKERNSEC_BLACKHOLE=y
+CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
+# CONFIG_GRKERNSEC_SOCKET is not set
+
+#
+# Physical Protections
+#
+CONFIG_GRKERNSEC_DENYUSB=y
+# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+
+#
+# Sysctl Support
+#
+CONFIG_GRKERNSEC_SYSCTL=y
+CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
+CONFIG_GRKERNSEC_SYSCTL_ON=y
+
+#
+# Logging Options
+#
+CONFIG_GRKERNSEC_FLOODTIME=10
+CONFIG_GRKERNSEC_FLOODBURST=6
+CONFIG_KEYS=y
+# CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_BIG_KEYS is not set
+CONFIG_ENCRYPTED_KEYS=y
+# CONFIG_KEY_DH_OPERATIONS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+# CONFIG_INTEL_TXT is not set
+CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
+CONFIG_HARDENED_USERCOPY=y
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_XOR_BLOCKS=y
+CONFIG_ASYNC_CORE=y
+CONFIG_ASYNC_MEMCPY=y
+CONFIG_ASYNC_XOR=y
+CONFIG_ASYNC_PQ=y
+CONFIG_ASYNC_RAID6_RECOV=y
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_RSA=y
+# CONFIG_CRYPTO_DH is not set
+# CONFIG_CRYPTO_ECDH is not set
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+# CONFIG_CRYPTO_USER is not set
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+# CONFIG_CRYPTO_PCRYPT is not set
+CONFIG_CRYPTO_WORKQUEUE=y
+# CONFIG_CRYPTO_CRYPTD is not set
+# CONFIG_CRYPTO_MCRYPTD is not set
+CONFIG_CRYPTO_AUTHENC=y
+# CONFIG_CRYPTO_TEST is not set
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+# CONFIG_CRYPTO_CHACHA20POLY1305 is not set
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_ECHAINIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+CONFIG_CRYPTO_CTS=y
+CONFIG_CRYPTO_ECB=y
+# CONFIG_CRYPTO_LRW is not set
+# CONFIG_CRYPTO_PCBC is not set
+CONFIG_CRYPTO_XTS=y
+# CONFIG_CRYPTO_KEYWRAP is not set
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+# CONFIG_CRYPTO_XCBC is not set
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_CRC32=y
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+CONFIG_CRYPTO_CRCT10DIF=y
+# CONFIG_CRYPTO_CRCT10DIF_PCLMUL is not set
+CONFIG_CRYPTO_GHASH=y
+# CONFIG_CRYPTO_POLY1305 is not set
+# CONFIG_CRYPTO_POLY1305_X86_64 is not set
+# CONFIG_CRYPTO_MD4 is not set
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+# CONFIG_CRYPTO_RMD128 is not set
+# CONFIG_CRYPTO_RMD160 is not set
+# CONFIG_CRYPTO_RMD256 is not set
+# CONFIG_CRYPTO_RMD320 is not set
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+# CONFIG_CRYPTO_SHA256_SSSE3 is not set
+# CONFIG_CRYPTO_SHA512_SSSE3 is not set
+# CONFIG_CRYPTO_SHA1_MB is not set
+# CONFIG_CRYPTO_SHA256_MB is not set
+# CONFIG_CRYPTO_SHA512_MB is not set
+CONFIG_CRYPTO_SHA256=y
+# CONFIG_CRYPTO_SHA512 is not set
+# CONFIG_CRYPTO_SHA3 is not set
+# CONFIG_CRYPTO_TGR192 is not set
+# CONFIG_CRYPTO_WP512 is not set
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_X86_64 is not set
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
+# CONFIG_CRYPTO_ANUBIS is not set
+CONFIG_CRYPTO_ARC4=y
+# CONFIG_CRYPTO_BLOWFISH is not set
+# CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
+# CONFIG_CRYPTO_CAMELLIA is not set
+# CONFIG_CRYPTO_CAMELLIA_X86_64 is not set
+# CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64 is not set
+# CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 is not set
+# CONFIG_CRYPTO_CAST5 is not set
+# CONFIG_CRYPTO_CAST5_AVX_X86_64 is not set
+# CONFIG_CRYPTO_CAST6 is not set
+# CONFIG_CRYPTO_CAST6_AVX_X86_64 is not set
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+# CONFIG_CRYPTO_FCRYPT is not set
+# CONFIG_CRYPTO_KHAZAD is not set
+# CONFIG_CRYPTO_SALSA20 is not set
+# CONFIG_CRYPTO_SALSA20_X86_64 is not set
+# CONFIG_CRYPTO_CHACHA20 is not set
+# CONFIG_CRYPTO_CHACHA20_X86_64 is not set
+# CONFIG_CRYPTO_SEED is not set
+# CONFIG_CRYPTO_SERPENT is not set
+# CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set
+# CONFIG_CRYPTO_SERPENT_AVX_X86_64 is not set
+# CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set
+# CONFIG_CRYPTO_TEA is not set
+# CONFIG_CRYPTO_TWOFISH is not set
+# CONFIG_CRYPTO_TWOFISH_X86_64 is not set
+# CONFIG_CRYPTO_TWOFISH_X86_64_3WAY is not set
+# CONFIG_CRYPTO_TWOFISH_AVX_X86_64 is not set
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+# CONFIG_CRYPTO_LZO is not set
+# CONFIG_CRYPTO_842 is not set
+# CONFIG_CRYPTO_LZ4 is not set
+# CONFIG_CRYPTO_LZ4HC is not set
+
+#
+# Random Number Generation
+#
+CONFIG_CRYPTO_ANSI_CPRNG=y
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+# CONFIG_CRYPTO_DRBG_HASH is not set
+# CONFIG_CRYPTO_DRBG_CTR is not set
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+# CONFIG_CRYPTO_USER_API_HASH is not set
+# CONFIG_CRYPTO_USER_API_SKCIPHER is not set
+# CONFIG_CRYPTO_USER_API_RNG is not set
+# CONFIG_CRYPTO_USER_API_AEAD is not set
+CONFIG_CRYPTO_HASH_INFO=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+# CONFIG_PKCS7_TEST_KEY is not set
+# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
+
+#
+# Certificates for signature checking
+#
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
+# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
+CONFIG_HAVE_KVM=y
+CONFIG_HAVE_KVM_IRQCHIP=y
+CONFIG_HAVE_KVM_IRQFD=y
+CONFIG_HAVE_KVM_IRQ_ROUTING=y
+CONFIG_HAVE_KVM_EVENTFD=y
+CONFIG_KVM_MMIO=y
+CONFIG_KVM_ASYNC_PF=y
+CONFIG_HAVE_KVM_MSI=y
+CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y
+CONFIG_KVM_VFIO=y
+CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y
+CONFIG_KVM_COMPAT=y
+CONFIG_HAVE_KVM_IRQ_BYPASS=y
+CONFIG_VIRTUALIZATION=y
+CONFIG_KVM=y
+CONFIG_KVM_INTEL=y
+# CONFIG_KVM_AMD is not set
+# CONFIG_KVM_DEVICE_ASSIGNMENT is not set
+CONFIG_VHOST_NET=y
+CONFIG_VHOST_VSOCK=y
+CONFIG_VHOST=y
+CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_RAID6_PQ=y
+CONFIG_BITREVERSE=y
+# CONFIG_HAVE_ARCH_BITREVERSE is not set
+CONFIG_RATIONAL=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=m
+CONFIG_CRC16=y
+CONFIG_CRC_T10DIF=y
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+CONFIG_XZ_DEC=y
+CONFIG_XZ_DEC_X86=y
+CONFIG_XZ_DEC_POWERPC=y
+CONFIG_XZ_DEC_IA64=y
+CONFIG_XZ_DEC_ARM=y
+CONFIG_XZ_DEC_ARMTHUMB=y
+CONFIG_XZ_DEC_SPARC=y
+CONFIG_XZ_DEC_BCJ=y
+# CONFIG_XZ_DEC_TEST is not set
+CONFIG_DECOMPRESS_GZIP=y
+CONFIG_DECOMPRESS_BZIP2=y
+CONFIG_DECOMPRESS_LZMA=y
+CONFIG_DECOMPRESS_XZ=y
+CONFIG_DECOMPRESS_LZO=y
+CONFIG_DECOMPRESS_LZ4=y
+CONFIG_GENERIC_ALLOCATOR=y
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_INTERVAL_TREE=y
+CONFIG_ASSOCIATIVE_ARRAY=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_CHECK_SIGNATURE=y
+CONFIG_CPU_RMAP=y
+CONFIG_DQL=y
+CONFIG_GLOB=y
+# CONFIG_GLOB_SELFTEST is not set
+CONFIG_NLATTR=y
+CONFIG_CLZ_TAB=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+CONFIG_IRQ_POLL=y
+CONFIG_MPILIB=y
+CONFIG_LIBFDT=y
+CONFIG_OID_REGISTRY=y
+CONFIG_UCS2_STRING=y
+CONFIG_FONT_SUPPORT=y
+# CONFIG_FONTS is not set
+CONFIG_FONT_8x8=y
+CONFIG_FONT_8x16=y
+# CONFIG_SG_SPLIT is not set
+CONFIG_SG_POOL=y
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_MMIO_FLUSH=y
+CONFIG_SBITMAP=y
diff --git a/core/ports/linux-libre/port-cpu.patch b/core/ports/linux-libre/port-cpu.patch
new file mode 100644
index 0000000..8530806
--- /dev/null
+++ b/core/ports/linux-libre/port-cpu.patch
@@ -0,0 +1,11 @@
+--- enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch.orig	2017-02-14 20:15:28.629583505 +0000
++++ enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch	2017-02-14 20:22:54.566232597 +0000
+@@ -440,7 +440,7 @@
+  # generates cmov.
+  config X86_CMOV
+  	def_bool y
+--	depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
++-	depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
+ +	depends on (MK8 || MK8SSE3 || MK10 || MBARCELONA || MBOBCAT || MBULLDOZER || MPILEDRIVER || MSTEAMROLLER || MEXCAVATOR || MZEN || MJAGUAR || MK7 || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MNATIVE || MATOM || MGEODE_LX)
+  
+  config X86_MINIMUM_CPU_FAMILY
diff --git a/core/ports/linux-libre/port-grsecurity.patch b/core/ports/linux-libre/port-grsecurity.patch
new file mode 100644
index 0000000..5dcd7fc
--- /dev/null
+++ b/core/ports/linux-libre/port-grsecurity.patch
@@ -0,0 +1,62 @@
+--- grsecurity-3.1-4.9.9-201702122044.patch	2017-02-14 19:45:20.732988092 +0000
++++ grsecurity-3.1-4.9.9-201702122044.patch	2017-02-14 19:53:12.012969518 +0000
+@@ -90805,59 +90805,6 @@
+  	if (!file->private_data)
+  		return -ENOMEM;
+  	return 0;
+-diff --git a/firmware/Makefile b/firmware/Makefile
+-index e297e1b..aeb0982 100644
+---- a/firmware/Makefile
+-+++ b/firmware/Makefile
+-@@ -35,9 +35,11 @@ fw-shipped-$(CONFIG_BNX2X) += bnx2x/bnx2x-e1-6.2.9.0.fw \
+- 			      bnx2x/bnx2x-e1h-6.2.9.0.fw \
+- 			      bnx2x/bnx2x-e2-6.2.9.0.fw
+- fw-shipped-$(CONFIG_BNX2) += bnx2/bnx2-mips-09-6.2.1a.fw \
+-+			     bnx2/bnx2-mips-09-6.2.1b.fw \
+- 			     bnx2/bnx2-rv2p-09-6.0.17.fw \
+- 			     bnx2/bnx2-rv2p-09ax-6.0.17.fw \
+- 			     bnx2/bnx2-mips-06-6.2.1.fw \
+-+			     bnx2/bnx2-mips-06-6.2.3.fw \
+- 			     bnx2/bnx2-rv2p-06-6.0.15.fw
+- fw-shipped-$(CONFIG_CASSINI) += sun/cassini.bin
+- fw-shipped-$(CONFIG_CHELSIO_T3) += cxgb3/t3b_psram-1.1.0.bin \
+-diff --git a/firmware/WHENCE b/firmware/WHENCE
+-index de6f22e..51fbae7 100644
+---- a/firmware/WHENCE
+-+++ b/firmware/WHENCE
+-@@ -653,21 +653,23 @@ Found in hex form in kernel source.
+- Driver: BNX2 - Broadcom NetXtremeII
+- 
+- File: bnx2/bnx2-mips-06-6.2.1.fw
+-+File: bnx2/bnx2-mips-06-6.2.3.fw
+- File: bnx2/bnx2-rv2p-06-6.0.15.fw
+- File: bnx2/bnx2-mips-09-6.2.1a.fw
+-+File: bnx2/bnx2-mips-09-6.2.1b.fw
+- File: bnx2/bnx2-rv2p-09-6.0.17.fw
+- File: bnx2/bnx2-rv2p-09ax-6.0.17.fw
+- 
+- Licence:
+--
+-- This file contains firmware data derived from proprietary unpublished
+-- source code, Copyright (c) 2004 - 2010 Broadcom Corporation.
+--
+-- Permission is hereby granted for the distribution of this firmware data
+-- in hexadecimal or equivalent format, provided this copyright notice is
+-- accompanying it.
+--
+--Found in hex form in kernel source.
+-+ 
+-+ This file contains firmware data derived from proprietary unpublished 
+-+ source code, Copyright (c) 2004 - 2010 Broadcom Corporation. 
+-+ 
+-+ Permission is hereby granted for the distribution of this firmware data 
+-+ in hexadecimal or equivalent format, provided this copyright notice is 
+-+ accompanying it. 
+-+ 
+-+Found in hex form in kernel source. 
+- 
+- --------------------------------------------------------------------------
+- 
+ diff --git a/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex b/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex
+ new file mode 100644
+ index 0000000..da72bf1
diff --git a/core/ports/linux-libre/port-libre-cpu.patch b/core/ports/linux-libre/port-libre-cpu.patch
new file mode 100644
index 0000000..8530806
--- /dev/null
+++ b/core/ports/linux-libre/port-libre-cpu.patch
@@ -0,0 +1,11 @@
+--- enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch.orig	2017-02-14 20:15:28.629583505 +0000
++++ enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch	2017-02-14 20:22:54.566232597 +0000
+@@ -440,7 +440,7 @@
+  # generates cmov.
+  config X86_CMOV
+  	def_bool y
+--	depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
++-	depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
+ +	depends on (MK8 || MK8SSE3 || MK10 || MBARCELONA || MBOBCAT || MBULLDOZER || MPILEDRIVER || MSTEAMROLLER || MEXCAVATOR || MZEN || MJAGUAR || MK7 || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MNATIVE || MATOM || MGEODE_LX)
+  
+  config X86_MINIMUM_CPU_FAMILY
diff --git a/core/ports/linux-libre/port-libre-grsecurity.patch b/core/ports/linux-libre/port-libre-grsecurity.patch
new file mode 100644
index 0000000..d437421
--- /dev/null
+++ b/core/ports/linux-libre/port-libre-grsecurity.patch
@@ -0,0 +1,76 @@
+--- grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:14:08.682388834 +0000
++++ grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:15:45.579051680 +0000
+@@ -90805,59 +90805,6 @@
+  	if (!file->private_data)
+  		return -ENOMEM;
+  	return 0;
+-diff --git a/firmware/Makefile b/firmware/Makefile
+-index e297e1b..aeb0982 100644
+---- a/firmware/Makefile
+-+++ b/firmware/Makefile
+-@@ -35,9 +35,11 @@ fw-shipped-$(CONFIG_BNX2X) += bnx2x/bnx2x-e1-6.2.9.0.fw \
+- 			      bnx2x/bnx2x-e1h-6.2.9.0.fw \
+- 			      bnx2x/bnx2x-e2-6.2.9.0.fw
+- fw-shipped-$(CONFIG_BNX2) += bnx2/bnx2-mips-09-6.2.1a.fw \
+-+			     bnx2/bnx2-mips-09-6.2.1b.fw \
+- 			     bnx2/bnx2-rv2p-09-6.0.17.fw \
+- 			     bnx2/bnx2-rv2p-09ax-6.0.17.fw \
+- 			     bnx2/bnx2-mips-06-6.2.1.fw \
+-+			     bnx2/bnx2-mips-06-6.2.3.fw \
+- 			     bnx2/bnx2-rv2p-06-6.0.15.fw
+- fw-shipped-$(CONFIG_CASSINI) += sun/cassini.bin
+- fw-shipped-$(CONFIG_CHELSIO_T3) += cxgb3/t3b_psram-1.1.0.bin \
+-diff --git a/firmware/WHENCE b/firmware/WHENCE
+-index de6f22e..51fbae7 100644
+---- a/firmware/WHENCE
+-+++ b/firmware/WHENCE
+-@@ -653,21 +653,23 @@ Found in hex form in kernel source.
+- Driver: BNX2 - Broadcom NetXtremeII
+- 
+- File: bnx2/bnx2-mips-06-6.2.1.fw
+-+File: bnx2/bnx2-mips-06-6.2.3.fw
+- File: bnx2/bnx2-rv2p-06-6.0.15.fw
+- File: bnx2/bnx2-mips-09-6.2.1a.fw
+-+File: bnx2/bnx2-mips-09-6.2.1b.fw
+- File: bnx2/bnx2-rv2p-09-6.0.17.fw
+- File: bnx2/bnx2-rv2p-09ax-6.0.17.fw
+- 
+- Licence:
+--
+-- This file contains firmware data derived from proprietary unpublished
+-- source code, Copyright (c) 2004 - 2010 Broadcom Corporation.
+--
+-- Permission is hereby granted for the distribution of this firmware data
+-- in hexadecimal or equivalent format, provided this copyright notice is
+-- accompanying it.
+--
+--Found in hex form in kernel source.
+-+ 
+-+ This file contains firmware data derived from proprietary unpublished 
+-+ source code, Copyright (c) 2004 - 2010 Broadcom Corporation. 
+-+ 
+-+ Permission is hereby granted for the distribution of this firmware data 
+-+ in hexadecimal or equivalent format, provided this copyright notice is 
+-+ accompanying it. 
+-+ 
+-+Found in hex form in kernel source. 
+- 
+- --------------------------------------------------------------------------
+- 
+ diff --git a/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex b/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex
+ new file mode 100644
+ index 0000000..da72bf1
+@@ -156547,13 +156494,6 @@
+  			break;
+  		}
+  
+-diff --git a/localversion-grsec b/localversion-grsec
+-new file mode 100644
+-index 0000000..7cd6065
+---- /dev/null
+-+++ b/localversion-grsec
+-@@ -0,0 +1 @@
+-+-grsec
+ diff --git a/mm/Kconfig b/mm/Kconfig
+ index 86e3e0e..ab679cf 100644
+ --- a/mm/Kconfig
diff --git a/core/ports/linux-libre/port-libre-make.patch b/core/ports/linux-libre/port-libre-make.patch
new file mode 100644
index 0000000..4834747
--- /dev/null
+++ b/core/ports/linux-libre/port-libre-make.patch
@@ -0,0 +1,11 @@
+--- Makefile	2017-02-18 04:48:37.675782509 +0000
++++ Makefile.orig	2017-02-18 04:48:23.425783067 +0000
+@@ -1,7 +1,7 @@
+ VERSION = 4
+ PATCHLEVEL = 9
+ SUBLEVEL = 9
+-EXTRAVERSION = -gnu
++EXTRAVERSION = -grsec
+ NAME = Roaring Lionus
+ 
+ # *DOCUMENTATION*
diff --git a/core/reboot.html b/core/reboot.html
index b1ff71b..c63f9bc 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -33,12 +33,16 @@
 
         
      1.4.1. Linux Kernel
      
 
-        
      Install kernel with default crux configuration using pkgutils;
      
+        
      c9-ports have two kernels, linux libre and linux blob.
+        Port linux-libre kernel is a true source based kernel that
+        respects your freedoms, is x86_64 but not generic configured,
+        with all drivers as modules or correct graphic driver.
+        Port linux-blob contain blobs and loads firmware.
      
 
         
      -        # cd /usr/ports/c9-ports/linux-crux
+        # cd /usr/ports/c9-ports/linux-libre
         # pkgmk -d
-        # pkgadd /usr/ports/packages/linux-crux#4.1.30-1.pkg.tar.gz
+        # pkgadd /usr/ports/packages/linux-libre#4.9.9-3.pkg.tar.gz
         
      
 
         
      1.4.2. Dracut - Initramfs
      
@@ -60,6 +64,9 @@
         # Equivalent to -H
         hostonly="yes"
 
+        # Mount / and /usr read-only by default.
+        ro_mnt="no"
+
         # Equivalent to -m "module module module"
         dracutmodules+="dash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown"
 
@@ -72,10 +79,11 @@
         # SEE man dracut.conf(5) for options
         
      
 
-        
      Run dracut to create init ram filesystem;
      
+        
      Run dracut to create init ram filesystem for
+        port linux-blob kernel;
      
 
         
      -        # dracut -v /boot/initramfs-4.1.30-crux.img 4.1.30-crux
+        # dracut -v /boot/initramfs-4.9.9-blob.img 4.9.9-blob
         
      
 
         
      1.4.3. Configuring Grub2
      
@@ -109,8 +117,7 @@
         
               # grub-mkconfig -o /boot/grub/grub.cfg
         Generating grub.cfg ...
-        Found linux image: /boot/vmlinuz-4.1.30-crux
-        Found initrd image: /boot/initramfs-4.1.30-crux.img
+        Found linux image: /boot/vmlinuz-4.9.9-grsec
         done
         #
         
      
@@ -145,7 +152,7 @@
         
      Debug initram
      
 
         
      -        /usr/lib/dracut/skipcpio /boot/initramfs-4.1.32-c9k9.img | gunzip -c | cpio -i -d
+        /usr/lib/dracut/skipcpio /boot/initramfs-4.9.9-blob.img | gunzip -c | cpio -i -d
         36875 blocks
         
      
 
diff --git a/core/scripts/act-chroot.sh b/core/scripts/act-chroot.sh
index 7f665f0..f8ae571 100644
--- a/core/scripts/act-chroot.sh
+++ b/core/scripts/act-chroot.sh
@@ -1,38 +1,23 @@
 #!/bin/bash
 
-printf "1.1.2 EFI block; (/dev/sda1):"
-#read BLK_EFI
-BLK_EFI="/dev/sda1"
+DEV=$1
 
-printf "1.1.2 boot block; (/dev/sda2):"
-#read BLK_BOOT
-BLK_BOOT="/dev/sda2"
-
-printf "1.1.2 root block; (/dev/sda3):"
-#read BLK_ROOT
-BLK_ROOT="/dev/sda3"
-#
-printf "1.1.2 var block; (/dev/sda4):"
-#read BLK_VAR
-BLK_VAR="/dev/sda4"
-#
-printf "1.1.2 usr block; (/dev/sda6):"
-#read BLK_USR
-BLK_USR="/dev/sda6"
-#
-printf "1.1.2 home block; (/dev/sda7):"
-#read BLK_HOME
-BLK_HOME="/dev/sda7"
-#
-printf "1.1.2 ports block; (/dev/sda8):\n"
-#read BLK_PRT
-BLK_PRT="/dev/sda8"
-
-printf "1.1.2 swap block; (/dev/sda9):\n"
-#read BLK_SWP
-BLK_SWP="/dev/sda9"
+CHROOT="/mnt"
+##read BLK_EFI
+BLK_EFI="${DEV}2"
+##read BLK_BOOT
+BLK_BOOT="${DEV}3"
+##read BLK_ROOT
+BLK_ROOT="${DEV}4"
+##read BLK_VAR
+BLK_VAR="${DEV}5"
+##read BLK_USR
+BLK_USR="${DEV}6"
+##read BLK_SWP
+BLK_SWP="${DEV}7"
+##read BLK_HOME
+BLK_HOME="${DEV}8"
 
-printf "1.1.3 mount point to chroot (/mnt):"
 #read CHROOT
 CHROOT="/mnt"
 
diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh
index bc94f7e..854a221 100644
--- a/core/scripts/backup-system.sh
+++ b/core/scripts/backup-system.sh
@@ -6,13 +6,10 @@ read ROOT_DIR
 echo -n "where you want to save (/home/user): "
 read DEST_DIR
 
-echo -n "backup name (system_name): "
-read BCK_NAME
-
 echo $DES_DIR
 echo $ROOT_DIR
 
-tar --xattrs -zcpf $DEST_DIR/$BCK_NAME-`date '+%Y-%j-%H-%M-%S'`.tar.gz \
+tar --xattrs -zcpf $DEST_DIR/system-backup-`date '+%Y-%j-%H-%M-%S'`.tar.gz \
     --directory=$ROOT_DIR \
     --exclude=usr/ports \
     --exclude=usr/src \
diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh
index 4ca01ff..ad5e76a 100644
--- a/core/scripts/setup-install.sh
+++ b/core/scripts/setup-install.sh
@@ -3,33 +3,41 @@
 # Set Global Vars
 ADMIN_USER=c9admin
 DEV=$1
-CHROOT="/mnt"
-##read BLK_SWP
-BLK_SWP="/dev/sda9"
 
+CHROOT="/mnt"
 ##read BLK_EFI
-BLK_EFI="${DEV}1"
+BLK_EFI="${DEV}2"
 ##read BLK_BOOT
-BLK_BOOT="${DEV}2"
+BLK_BOOT="${DEV}3"
 ##read BLK_ROOT
-BLK_ROOT="${DEV}3"
+BLK_ROOT="${DEV}4"
 ##read BLK_VAR
-BLK_VAR="${DEV}4"
+BLK_VAR="${DEV}5"
+##read BLK_USR
+BLK_USR="${DEV}6"
+##read BLK_SWP
+BLK_SWP="${DEV}7"
+##read BLK_HOME
+BLK_HOME="${DEV}8"
 
-# Absolute path to this script, e.g. /home/user/bin/foo.sh
+# Absolute path to this script,
+# e.g. /home/user/c9-doc/core/scripts/foo.sh
 SCRIPT=$(readlink -f "$0")
-# Absolute path this script is in, thus /home/user/bin
+# Absolute path this script is in, 
+# e.g. /home/user/c9-doc/core/scripts
 SCRIPTPATH=$(dirname "$SCRIPT")
-
+# Absolute path to doc section,
+# e.g /home/user/c9-doc/core
 DIR=$(dirname "$SCRIPTPATH");
+# Absolute path to local data,
+# e.g /home/user/local
 DIR_LOCAL="$(dirname $(dirname ${DIR}))/local";
 
+
 DIR_CONF="${DIR}/conf"
 DIR_PRT="${DIR}/ports";
+ISO_FILE="${DIR_LOCAL}/crux-3.3.iso"
 
-ISO_FILE="${DIR_LOCAL}/crux-3.2.iso"
-
-# First we define the function
 ConfirmOrExit ()
 {
     while true
@@ -48,6 +56,7 @@ ConfirmOrExit ()
     echo "You entered $CONFIRM. Continuing ..."
 }
 
+
 setup_target () {
     echo "1.1.2 Creating File System on $BLK_EFI with fat32:"
     mkfs.fat -F 32 $BLK_EFI
@@ -57,8 +66,12 @@ setup_target () {
     mkfs.ext4 $BLK_ROOT
     echo "1.1.2 Creating File System on $BLK_VAR with ext4:"
     mkfs.ext4 $BLK_VAR
-    #echo "1.1.2 Creating Swap File System on $BLK_SWP:"
-    #mkswap $BLK_SWP
+    echo "1.1.2 Creating File System on $BLK_USR with ext4:"
+    mkfs.ext4 $BLK_USR
+    echo "1.1.2 Creating Swap File System on $BLK_SWP:"
+    mkswap $BLK_SWP
+    echo "1.1.2 Creating File System on $BLK_HOME with ext4:"
+    mkfs.ext4 $BLK_HOME
 
     echo "1.1.3 mount point to chroot (/mnt):\n"
     mount $BLK_ROOT $CHROOT
@@ -69,6 +82,11 @@ setup_target () {
     mount $BLK_EFI $CHROOT/boot/efi
     mkdir -p $CHROOT/var
     mount $BLK_VAR $CHROOT/var
+    mkdir -p $CHROOT/usr
+    mount $BLK_USR $CHROOT/usr
+    mkdir -p $CHROOT/home
+    mount $BLK_HOME $CHROOT/home
+
 
     mkdir -p $CHROOT/dev
     mkdir -p $CHROOT/tmp
@@ -79,7 +97,6 @@ setup_target () {
     mkdir -p $CHROOT/usr/ports
 
     mkdir -p $CHROOT/media
-    mkdir -p $CHROOT/home
 
     mount --bind /dev $CHROOT/dev
     mount -vt devpts devpts $CHROOT/dev/pts
@@ -92,12 +109,12 @@ setup_target () {
     mount -o loop $ISO_FILE $CHROOT/media
 }
 
-setup_bin() {
+install_packages() {
 
     echo "1.1.4 Create core.lst and install pkgadd"
     for p in $CHROOT/media/crux/core/*; do echo $p >> $CHROOT/core.lst; done
 
-    tar xf "$CHROOT/media/crux/core/pkgutils#5.36-2.pkg.tar.xz" usr/bin/pkgadd -O > $CHROOT/pkgadd
+    tar xf "$CHROOT/media/crux/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > $CHROOT/pkgadd
 
     chmod +x $CHROOT/pkgadd
 
@@ -117,51 +134,51 @@ setup_bin() {
     rm $CHROOT/pkgadd
     rm $CHROOT/core.lst
 
-    echo "1.1.5. Install extra packages;"
+   echo "1.1.5. Install extra packages;"
 
     mkdir $CHROOT/usr/ports/packages
     cp $CHROOT/media/crux/core/* $CHROOT/usr/ports/packages
     cp $CHROOT/media/crux/opt/* $CHROOT/usr/ports/packages
     cp $CHROOT/media/crux/xorg/* $CHROOT/usr/ports/packages
 
-    echo "Installing $CHROOT/usr/ports/packages/fakeroot#1.20.2-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/fakeroot#1.20.2-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/dbus#1.10.2-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/dbus#1.10.2-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/expat#2.1.0-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/expat#2.1.0-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/libnl#3.2.27-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/libnl#3.2.27-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/libpng#1.6.19-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/libpng#1.6.19-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/freetype#2.6.1-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/freetype#2.6.1-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/libffi#3.2.1-2.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/libffi#3.2.1-2.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/sqlite3#3.9.2-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/sqlite3#3.9.2-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/python#2.7.10-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/python#2.7.10-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/glib#2.46.2-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/glib#2.46.2-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/grub2#2.00-7.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/grub2#2.00-7.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/grub2-efi#2.00-4.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/grub2-efi#2.00-4.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/wireless-tools#29-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/wireless-tools#29-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/wpa_supplicant#2.5-2.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/wpa_supplicant#2.5-2.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/lvm2#2.02.133-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/lvm2#2.02.133-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/mdadm#3.3.4-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/mdadm#3.3.4-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/efivar#0.21-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/efivar#0.21-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/efibootmgr#0.12-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/efibootmgr#0.12-1.pkg.tar.xz"
-    echo "Installing $CHROOT/usr/ports/packages/dosfstools#3.0.26-1.pkg.tar.xz"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT "$CHROOT/usr/ports/packages/dosfstools#3.0.26-1.pkg.tar.xz"
+    echo "Installing $CHROOT/usr/ports/packages/fakeroot"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/fakeroot#*
+    echo "Installing $CHROOT/usr/ports/packages/dbus"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dbus#*
+    echo "Installing $CHROOT/usr/ports/packages/expat"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/expat#*
+    echo "Installing $CHROOT/usr/ports/packages/libnl"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libnl#*
+    echo "Installing $CHROOT/usr/ports/packages/libpng"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libpng#*
+    echo "Installing $CHROOT/usr/ports/packages/freetype"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/freetype#*
+    echo "Installing $CHROOT/usr/ports/packages/libffi"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libffi#*
+    echo "Installing $CHROOT/usr/ports/packages/sqlite3"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/sqlite3#*
+    echo "Installing $CHROOT/usr/ports/packages/python"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/python#*
+    echo "Installing $CHROOT/usr/ports/packages/glib"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/glib#*
+    echo "Installing $CHROOT/usr/ports/packages/grub2"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2#*
+    echo "Installing $CHROOT/usr/ports/packages/grub2-efi"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2-efi#*
+    echo "Installing $CHROOT/usr/ports/packages/wireless-tools"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wireless-tools#*
+    echo "Installing $CHROOT/usr/ports/packages/wpa_supplicant"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wpa_supplicant#*
+    echo "Installing $CHROOT/usr/ports/packages/lvm2"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/lvm2#*
+    echo "Installing $CHROOT/usr/ports/packages/mdadm"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/mdadm#*
+    echo "Installing $CHROOT/usr/ports/packages/efivar"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efivar#*
+    echo "Installing $CHROOT/usr/ports/packages/efibootmgr"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efibootmgr#*
+    echo "Installing $CHROOT/usr/ports/packages/dosfstools"
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dosfstools#*
 
     echo "1.1.6. Install extra ports;\n"
 
@@ -172,13 +189,13 @@ setup_bin() {
     cp /etc/resolv.conf $CHROOT/etc
 
     echo "1.1.8. Install Handbook\n"
-    cp /media/crux/handbook.txt $CHROOT/root/
+    cp $CHROOT/media/crux/handbook.txt $CHROOT/root/
 
     echo "1.1.9. Install Skeletons\n"
     cp -r $DIR_CONF/skel $CHROOT/etc/
 }
 
-setup_crux() {
+host_metadata() {
 
     echo "1.2.1. Set hostname and hosts;"
     cp $DIR_CONF/hosts $CHROOT/etc/
@@ -189,7 +206,6 @@ setup_crux() {
 
     echo "1.2.3. Set locale;"
     chroot $CHROOT /bin/bash -c "localedef -i en_US -f UTF-8 en_US.UTF-8"
-
     echo "1.2.4.2. Create Administrator $ADMIN_USER;"
 
     chroot $CHROOT /usr/bin/env -i \
@@ -205,7 +221,7 @@ setup_crux() {
 
     echo "1.2.5. File system table;"
     cp $DIR_CONF/fstab $CHROOT/etc/
-    blkid >> $CHROOT/etc/fstab
+    chroot $CHROOT /bin/bash -c "mount >> /etc/fstab"
     vim $CHROOT/etc/fstab
 
     echo "1.2.6. Initialization Scripts;"
@@ -252,9 +268,9 @@ setup_ports() {
     chroot $CHROOT /usr/bin/env -i \
         HOME=/root TERM="$TERM" PS1='\u:\w\$ ' \
         PATH=/bin:/usr/bin:/sbin:/usr/sbin \
-        /bin/bash -c "id pkgmk"
+        /bin/bash -c "id pkgmk >> /etc/fstab"
 
-    read PAUSE
+    echo "pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0    0" >> $CHROOT/etc/fstab
 
     vim $CHROOT/etc/fstab
 
@@ -277,7 +293,9 @@ echo "1.1.2 EFI block; ($BLK_EFI)"
 echo "1.1.2 boot block; ($BLK_BOOT)"
 echo "1.1.2 root block; ($BLK_ROOT)"
 echo "1.1.2 var block; ($BLK_VAR)"
-#echo "1.1.2 swap block; ($BLK_SWP)\n"
+echo "1.1.2 usr block; ($BLK_USR)"
+echo "1.1.2 swap block; ($BLK_SWP)"
+echo "1.1.2 home block; ($BLK_HOME)\n"
 
 echo "ADMIN_USER="$ADMIN_USER"\n"
 echo "CHROOT=$CHROOT";
@@ -287,10 +305,11 @@ echo "DIR_PRT=$DIR_PRT";
 
 echo "ISO_FILE=$ISO_FILE";
 ConfirmOrExit
-
+echo "press enter to continue"
+read
 setup_target
-setup_bin
-setup_crux
+install_packages
+host_metadata
 setup_ports
 
 echo "Ready to chroot $CHROOT /bin/bash \n"
diff --git a/core/scripts/setup-iso.sh b/core/scripts/setup-iso.sh
index 93858d6..e208378 100644
--- a/core/scripts/setup-iso.sh
+++ b/core/scripts/setup-iso.sh
@@ -1,17 +1,5 @@
 #!/bin/sh
 
-# Absolute path to this script, e.g. /home/user/bin/foo.sh
-SCRIPT=$(readlink -f "$0")
-# Absolute path this script is in, thus /home/user/bin
-SCRIPTPATH=$(dirname "$SCRIPT")
-
-DIR=$(dirname "$SCRIPTPATH");
-DIR_LOCAL="$(dirname $(dirname ${DIR}))/local";
-
-ISO_URL="https://serverop.de/crux/crux-3.2/iso/crux-3.2.iso"
-ISO_FILE="${DIR_LOCAL}/crux-3.2.iso"
-
-
 # First we define the function
 ConfirmOrExit ()
 {
@@ -31,9 +19,26 @@ ConfirmOrExit ()
     echo "You entered $CONFIRM. Continuing ..."
 }
 
-echo "1.1.1 Path/to crux-3.2.iso:"
-echo $ISO_FILE
+# Absolute path to this script, e.g. /home/user/bin/foo.sh
+SCRIPT=$(readlink -f "$0")
+# Absolute path this script is in, thus /home/user/bin
+SCRIPTPATH=$(dirname "$SCRIPT")
+
+DIR=$(dirname "$SCRIPTPATH");
+DIR_LOCAL="$(dirname $(dirname ${DIR}))/local";
+
+ISO_URL="https://serverop.de/crux/crux-3.3/iso/crux-3.3.iso"
+MD5_URL="https://serverop.de/crux/crux-3.3/iso/crux-3.3.md5"
+
+ISO_FILE="${DIR_LOCAL}/crux-3.3.iso"
+MD5_FILE="${DIR_LOCAL}/crux-3.3.md5"
+
+echo "1.1.1 Paths to iso and md5 files:"
+echo "dir: ${DIR_LOCAL}"
+echo "iso url: ${ISO_URL}"
+echo "md5 url: ${MD5_URL}"
 ConfirmOrExit
+mkdir -p ${DIR_LOCAL}
 
 #prepare_iso() {
 
@@ -42,7 +47,22 @@ ConfirmOrExit
         echo "File $ISO_FILE exists."
     else
         echo "File $ISO_FILE does not exist."
-        cd $ISO_PATH && { curl -k -O $ISO_URL ; cd -; }
+        cd $DIR_LOCAL && { curl -k -O $ISO_URL ; cd -; }
+    fi
+
+    if [ -f $MD5_FILE ];
+    then
+        echo "File ${MD5_FILE} exists."
+    else
+        echo "File ${MD5_FILE} does not exist."
+        cd ${DIR_LOCAL} && { curl -k -O ${MD5_URL} ; cd -; }
+    fi
+
+    if  cd ${DIR_LOCAL} && md5sum -c ${MD5_FILE} ;
+    then
+        echo "Valid iso md5sum"
+    else
+        echo "Invalid iso md5sum"
     fi
 
 #}
diff --git a/core/scripts/setup-target.sh b/core/scripts/setup-target.sh
index e64bfe1..6931fe9 100644
--- a/core/scripts/setup-target.sh
+++ b/core/scripts/setup-target.sh
@@ -26,10 +26,24 @@ ConfirmOrExit
 
 parted --script $DEV \
     mklabel gpt \
-    mkpart ESP fat32 1MiB 120MiB \
-    mkpart primary ext4 120MiB 376MiB \
-    mkpart primary ext4 376MiB 4376MiB \
-    mkpart primary ext4 4376MiB 5000MiB \
-    set 1 boot on
+    unit mib \
+    mkpart primary 1 3 \
+    name 1 grub \
+    set 1 bios_grub on \
+    mkpart ESP fat32 3 125 \
+    name 2 efi \
+    set 2 boot on \
+    mkpart primary ext4 125 1128 \
+    name 3 boot \
+    mkpart primary ext4 1128 5128 \
+    name 4 root \
+    mkpart primary ext4 5128 6128 \
+    name 5 var \
+    mkpart primary ext4 6128 14128 \
+    name 6 usr \
+    mkpart primary linux-swap 14128 18128 \
+    name 7 swap \
+    mkpart primary ext4 18128 100% \
+    name 8 home
 
 exit 0;
-- 
cgit 1.4.1-2-gfad0


From 2a21a4806c13aa5d3c53c47d4754ebc9f0e58016 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Sun, 19 Feb 2017 20:50:32 +0000
Subject: fix core install and ports

---
 core/conf/prt-get.conf        | 2 +-
 core/ports.html               | 2 +-
 core/scripts/setup-install.sh | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'core/conf')

diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf
index 1a5d841..f6b6d16 100644
--- a/core/conf/prt-get.conf
+++ b/core/conf/prt-get.conf
@@ -38,7 +38,7 @@ logfile  /usr/ports/pkgbuild/%n-%v-%r.log
 readme verbose           # (verbose|compact|disabled)
 
 ### prefer higher versions in sysup / diff
-preferhigher yes      # (yes|no)
+preferhigher no      # (yes|no)
 
 ### use regexp search
 # useregex no        # (yes|no)
diff --git a/core/ports.html b/core/ports.html
index 230e284..489e728 100644
--- a/core/ports.html
+++ b/core/ports.html
@@ -185,7 +185,7 @@
         readme verbose           # (verbose|compact|disabled)
 
         ### prefer higher versions in sysup / diff
-        preferhigher yes      # (yes|no)
+        preferhigher no      # (yes|no)
 
         ### use regexp search
         # useregex no        # (yes|no)
diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh
index ad5e76a..01e3bd1 100644
--- a/core/scripts/setup-install.sh
+++ b/core/scripts/setup-install.sh
@@ -237,7 +237,7 @@ setup_ports() {
     chroot $CHROOT /usr/bin/env -i \
         HOME=/root TERM="$TERM" PS1='\u:\w\$ ' \
         PATH=/bin:/usr/bin:/sbin:/usr/sbin \
-        /bin/bash -c "useradd -U -m -d /usr/ports -s /bin/false pkgmk"
+        /bin/bash -c "useradd -U -M -d /usr/ports -s /bin/false pkgmk"
 
     chroot $CHROOT /usr/bin/env -i \
         HOME=/root TERM="$TERM" PS1='\u:\w\$ ' \
-- 
cgit 1.4.1-2-gfad0


From 0e7880313b3a3e016c0d2e287802cc6ddff9edd1 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Mon, 20 Feb 2017 09:06:21 +0000
Subject: core revision

---
 core/conf/fstab                                    |  13 +-
 core/conf/pkgmk.conf                               |   4 +-
 core/conf/prt-get.conf                             |   4 +-
 core/conf/rc.d/wlan                                |   7 +-
 core/conf/sysctl.conf                              | 538 ++++++++++++++--
 core/configure.html                                |  45 +-
 core/dash.html                                     |   2 +-
 core/exim.html                                     |   2 +-
 core/index.html                                    |  38 +-
 core/linux.html                                    | 676 +++++++++++++++++++--
 core/network.html                                  | 141 +----
 core/package.html                                  |  18 +-
 core/ports.html                                    |  16 +-
 core/ports/linux-blob/.footprint                   | 107 ++--
 core/ports/linux-blob/.md5sum                      |  10 +-
 core/ports/linux-blob/Pkgfile                      |  11 +-
 core/ports/linux-blob/config-c9                    |  49 +-
 core/ports/linux-blob/port-blob-grsecurity.patch   |   8 +-
 core/ports/linux-blob/port-blob-make.patch         |   2 +-
 core/ports/linux-libre/.footprint                  | 107 ++--
 core/ports/linux-libre/.md5sum                     |  10 +-
 core/ports/linux-libre/Pkgfile                     |  10 +-
 core/ports/linux-libre/config-c9                   |  49 +-
 core/ports/linux-libre/port-libre-grsecurity.patch |   4 +-
 core/ports/linux-libre/port-libre-make.patch       |   2 +-
 core/reboot.html                                   | 106 +---
 26 files changed, 1417 insertions(+), 562 deletions(-)

(limited to 'core/conf')

diff --git a/core/conf/fstab b/core/conf/fstab
index da3c9dd..d3fc878 100644
--- a/core/conf/fstab
+++ b/core/conf/fstab
@@ -13,9 +13,20 @@
 #/dev/cdrom            /cdrom    iso9660   ro,user,noauto,unhide            0      0
 #/dev/dvd              /dvd      udf       ro,user,noauto,unhide            0      0
 #/dev/floppy/0         /floppy   vfat      user,noauto,unhide               0      0
-devpts                 /dev/pts  devpts    noexec,nosuid,gid=tty,mode=0620  0      0
 #tmp                   /tmp      tmpfs     defaults                         0      0
 #shm                   /dev/shm  tmpfs     defaults                         0      0
 #usb                   /proc/bus/usb usbfs defaults                         0      0
 
 # End of file
+#/dev/sda3 on / type ext4 (rw,relatime,data=ordered)
+#UUID=3bab76f8-e714-45f1-8e30-04cc8a09c3d1 / 		ext4	ro,relatime,data=ordered			0	1
+/dev/sda3  				   / 		ext4	defaults,noatime,ro				0	1
+devpts                 		           /dev/pts	devpts	noexec,nosuid,gid=tty,mode=0620			0	0
+UUID=3b408790-65e1-4638-9591-7ba61f266913  /boot	ext4	defaults,ro,noatime		  		0	0
+UUID=962D-0DE1				   /boot/efi	vfat	ro,noauto,umask=0077      			0	0  
+UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237  /var		ext4	defaults,nodev,noexec,nosuid,errors=remount-ro  0	0
+UUID=20bd3948-0877-4192-af52-ad87d6f96db0  /usr		ext4	defaults,ro,nodev,errors=remount-ro		0	0
+UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089  /usr/ports	ext4	defaults,ro,nodev,errors=remount-ro		0	0
+pkgmk                                      /usr/ports/work tmpfs   size=30G,gid=101,uid=100,defaults 		0 	0
+UUID=36e9e1d5-8356-451e-a301-81098b9a15ea  /srv		ext4	defaults,nodev,errors=remount-ro		0	0
+UUID=cd15196a-69f1-4fb4-9730-a384c62add91  /home        ext4    defaults,nodev,nosuid,errors=remount-ro		0	0
diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf
index 3533ba7..4ef372e 100644
--- a/core/conf/pkgmk.conf
+++ b/core/conf/pkgmk.conf
@@ -2,7 +2,7 @@
 # /etc/pkgmk.conf: pkgmk(8) configuration
 #
 
-export CFLAGS="-O2 -march=x86-64"
+export CFLAGS="-O2 -march=native -mtune=native"
 export CXXFLAGS="${CFLAGS}"
 
 export MAKEFLAGS="-j4"
@@ -22,7 +22,7 @@ case ${PKGMK_ARCH} in
 		;;
 esac
 
-PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
 PKGMK_SOURCE_DIR="/usr/ports/distfiles"
 PKGMK_PACKAGE_DIR="/usr/ports/packages"
 PKGMK_WORK_DIR="/usr/ports/work/$name"
diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf
index f6b6d16..0504d3e 100644
--- a/core/conf/prt-get.conf
+++ b/core/conf/prt-get.conf
@@ -38,7 +38,7 @@ logfile  /usr/ports/pkgbuild/%n-%v-%r.log
 readme verbose           # (verbose|compact|disabled)
 
 ### prefer higher versions in sysup / diff
-preferhigher no      # (yes|no)
+#preferhigher yes      # (yes|no)
 
 ### use regexp search
 # useregex no        # (yes|no)
@@ -51,7 +51,7 @@ runscripts yes            # (no|yes)
 ### EXPERT SECTION ###
 
 ### alternative commands
-makecommand      sudo -H -u pkgmk fakeroot pkgmk
+makecommand      sudo -H -u pkgmk -g pkgmk fakeroot pkgmk
 addcommand       sudo pkgadd
 removecommand    sudo pkgrm
 runscriptcommand sudo sh
diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan
index 8800148..86910bc 100755
--- a/core/conf/rc.d/wlan
+++ b/core/conf/rc.d/wlan
@@ -15,7 +15,6 @@ PID_WIFI=/var/run/wpa_supplicant.pid
 OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV"
 OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV"
 
-
 print_status() {
 	$SSD --status --pidfile $2
 	case $? in
@@ -35,7 +34,13 @@ case $1 in
 	stop)
 		( $SSD --stop --retry 10 --pidfile $PID_DHCP 
 		  $SSD --stop --retry 10 --pidfile $PID_WIFI )
+
 		RETVAL=$?
+		  /sbin/ip route del default dev ${DEV}
+                  /sbin/ip route flush dev ${DEV}
+                  /sbin/ip link set ${DEV} down
+                  /sbin/ip addr flush dev ${DEV}
+
 		;;
 	restart)
 		$0 stop
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index b419628..b60d3e6 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -3,20 +3,420 @@
 #
 
 kernel.printk = 15 1 1 4
+kernel.randomize_va_space = 1
+kernel.shmmax = 500000000
+# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+kernel.pid_max = 65536
+
+#
+# Memory Protections
+#
+
+#  If you say Y here, all ioperm and iopl calls will return an error.
+#  Ioperm and iopl can be used to modify the running kernel.
+#  Unfortunately, some programs need this access to operate properly,
+#  the most notable of which are XFree86 and hwclock.  hwclock can be
+#  remedied by having RTC support in the kernel, so real-time 
+#  clock support is enabled if this option is enabled, to ensure 
+#  that hwclock operates correctly.
+#  
+#  If you're using XFree86 or a version of Xorg from 2012 or earlier,
+#  you may not be able to boot into a graphical environment with this
+#  option enabled.  In this case, you should use the RBAC system instead.
+#kernel.grsecurity.disable_priv_io = 1
+kernel.grsecurity.disable_priv_io = 0
+
+#  If you say Y here, attempts to bruteforce exploits against forking
+#  daemons such as apache or sshd, as well as against suid/sgid binaries
+#  will be deterred.  When a child of a forking daemon is killed by PaX
+#  or crashes due to an illegal instruction or other suspicious signal,
+#  the parent process will be delayed 30 seconds upon every subsequent
+#  fork until the administrator is able to assess the situation and
+#  restart the daemon.
+#  In the suid/sgid case, the attempt is logged, the user has all their
+#  existing instances of the suid/sgid binary terminated and will
+#  be unable to execute any suid/sgid binaries for 15 minutes.
+#  
+#  It is recommended that you also enable signal logging in the auditing
+#  section so that logs are generated when a process triggers a suspicious
+#  signal.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "deter_bruteforce" is created.
+#kernel.grsecurity.deter_bruteforce = 1
+
+#
+# Filesystem Protections
+#
+
+# Optimization for port usefor LBs
+# Increase system file descriptor limit
+fs.file-max = 65535
+
+#  If you say Y here, /tmp race exploits will be prevented, since users
+#  will no longer be able to follow symlinks owned by other users in
+#  world-writable +t directories (e.g. /tmp), unless the owner of the
+#  symlink is the owner of the directory. users will also not be
+#  able to hardlink to files they do not own.  If the sysctl option is
+#  enabled, a sysctl option with name "linking_restrictions" is created.
+kernel.grsecurity.linking_restrictions = 1
+
+
+#  Apache's SymlinksIfOwnerMatch option has an inherent race condition
+#  that prevents it from being used as a security feature.  As Apache
+#  verifies the symlink by performing a stat() against the target of
+#  the symlink before it is followed, an attacker can setup a symlink
+#  to point to a same-owned file, then replace the symlink with one
+#  that targets another user's file just after Apache "validates" the
+#  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+#  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+#  will be in place for the group you specify. If the sysctl option
+#  is enabled, a sysctl option with name "enforce_symlinksifowner" is
+#  created.
+#kernel.grsecurity.enforce_symlinksifowner = 1
+#kernel.grsecurity.symlinkown_gid = 33
+
+#  if you say Y here, users will not be able to write to FIFOs they don't
+#  own in world-writable +t directories (e.g. /tmp), unless the owner of
+#  the FIFO is the same owner of the directory it's held in.  If the sysctl
+#  option is enabled, a sysctl option with name "fifo_restrictions" is
+#  created.
+#kernel.grsecurity.fifo_restrictions = 1
+
+#  If you say Y here, a sysctl option with name "romount_protect" will
+#  be created.  By setting this option to 1 at runtime, filesystems
+#  will be protected in the following ways:
+#  * No new writable mounts will be allowed
+#  * Existing read-only mounts won't be able to be remounted read/write
+#  * Write operations will be denied on all block devices
+#  This option acts independently of grsec_lock: once it is set to 1,
+#  it cannot be turned off.  Therefore, please be mindful of the resulting
+#  behavior if this option is enabled in an init script on a read-only
+#  filesystem.
+#  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
+#  and GRKERNSEC_IO should be enabled and module loading disabled via
+#  config or at runtime.
+#  This feature is mainly intended for secure embedded systems.
+#kernel.grsecurity.romount_protect = 0
+
+#  if you say Y here, the capabilities on all processes within a
+#  chroot jail will be lowered to stop module insertion, raw i/o,
+#  system and net admin tasks, rebooting the system, modifying immutable
+#  files, modifying IPC owned by another, and changing the system time.
+#  This is left an option because it can break some apps.  Disable this
+#  if your chrooted apps are having problems performing those kinds of
+#  tasks.  If the sysctl option is enabled, a sysctl option with
+#  name "chroot_caps" is created.
+kernel.grsecurity.chroot_caps = 1
+
+#kernel.grsecurity.chroot_deny_bad_rename = 1
+
+#  If you say Y here, processes inside a chroot will not be able to chmod
+#  or fchmod files to make them have suid or sgid bits.  This protects
+#  against another published method of breaking a chroot.  If the sysctl
+#  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+#  created.
+kernel.grsecurity.chroot_deny_chmod     = 1
+
+#  If you say Y here, processes inside a chroot will not be able to chroot
+#  again outside the chroot.  This is a widely used method of breaking
+#  out of a chroot jail and should not be allowed.  If the sysctl 
+#  option is enabled, a sysctl option with name 
+#  "chroot_deny_chroot" is created.
+kernel.grsecurity.chroot_deny_chroot    = 1
+
+#  If you say Y here, a well-known method of breaking chroots by fchdir'ing
+#  to a file descriptor of the chrooting process that points to a directory
+#  outside the filesystem will be stopped.  If the sysctl option
+#  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
+kernel.grsecurity.chroot_deny_fchdir = 1
+
+#  If you say Y here, processes inside a chroot will not be allowed to
+#  mknod.  The problem with using mknod inside a chroot is that it
+#  would allow an attacker to create a device entry that is the same
+#  as one on the physical root of your system, which could range from
+#  anything from the console device to a device for your harddrive (which
+#  they could then use to wipe the drive or steal data).  It is recommended
+#  that you say Y here, unless you run into software incompatibilities.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "chroot_deny_mknod" is created.
+kernel.grsecurity.chroot_deny_mknod = 1
+
+#  If you say Y here, processes inside a chroot will not be able to
+#  mount or remount filesystems.  If the sysctl option is enabled, a
+#  sysctl option with name "chroot_deny_mount" is created.
+kernel.grsecurity.chroot_deny_mount = 1
+
+#  If you say Y here, processes inside a chroot will not be able to use
+#  a function called pivot_root() that was introduced in Linux 2.3.41.  It
+#  works similar to chroot in that it changes the root filesystem.  This
+#  function could be misused in a chrooted process to attempt to break out
+#  of the chroot, and therefore should not be allowed.  If the sysctl
+#  option is enabled, a sysctl option with name "chroot_deny_pivot" is
+#  created.
+kernel.grsecurity.chroot_deny_pivot     = 1
+
+#  If you say Y here, processes inside a chroot will not be able to attach
+#  to shared memory segments that were created outside of the chroot jail.
+#  It is recommended that you say Y here.  If the sysctl option is enabled,
+#  a sysctl option with name "chroot_deny_shmat" is created.
+kernel.grsecurity.chroot_deny_shmat = 1
+
+#  If you say Y here, an attacker in a chroot will not be able to
+#  write to sysctl entries, either by sysctl(2) or through a /proc
+#  interface.  It is strongly recommended that you say Y here. If the
+#  sysctl option is enabled, a sysctl option with name
+#  "chroot_deny_sysctl" is created.
+kernel.grsecurity.chroot_deny_sysctl = 1
+
+#  If you say Y here, processes inside a chroot will not be able to
+#  connect to abstract (meaning not belonging to a filesystem) Unix
+#  domain sockets that were bound outside of a chroot.  It is recommended
+#  that you say Y here.  If the sysctl option is enabled, a sysctl option
+#  with name "chroot_deny_unix" is created.
+kernel.grsecurity.chroot_deny_unix = 1
+
+#  If you say Y here, the current working directory of all newly-chrooted
+#  applications will be set to the the root directory of the chroot.
+#  The man page on chroot(2) states:
+#  Note that usually chhroot does not change  the  current  working
+#  directory,  so  that `.' can be outside the tree rooted at
+#  `/'.  In particular, the  super-user  can  escape  from  a
+#  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
+#  
+#  It is recommended that you say Y here, since it's not known to break
+#  any software.  If the sysctl option is enabled, a sysctl option with
+#  name "chroot_enforce_chdir" is created.
+kernel.grsecurity.chroot_enforce_chdir  = 1
+
+#  If you say Y here, processes inside a chroot will not be able to
+#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, 
+#  getsid, or view any process outside of the chroot.  If the sysctl
+#  option is enabled, a sysctl option with name "chroot_findtask" is
+#  created.
+kernel.grsecurity.chroot_findtask = 1
+
+#  If you say Y here, processes inside a chroot will not be able to raise
+#  the priority of processes in the chroot, or alter the priority of
+#  processes outside the chroot.  This provides more security than simply
+#  removing CAP_SYS_NICE from the process' capability set.  If the
+#  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+#  is created.
+kernel.grsecurity.chroot_restrict_nice = 1
+
+#
+# Kernel Auditing
+#
+
+#  If you say Y here, the exec and chdir logging features will only operate
+#  on a group you specify.  This option is recommended if you only want to
+#  watch certain users instead of having a large amount of logs from the
+#  entire system.  If the sysctl option is enabled, a sysctl option with
+#  name "audit_group" is created.
+kernel.grsecurity.audit_group = 0		
+
+#  If you say Y here, the exec and chdir logging features will only operate
+#  on a group you specify.  This option is recommended if you only want to
+#  watch certain users instead of having a large amount of logs from the
+#  entire system.  If the sysctl option is enabled, a sysctl option with
+#  name "audit_group" is created.
+#kernel.grsecurity.audit_gid = 201
+
+#  If you say Y here, all execve() calls will be logged (since the
+#  other exec*() calls are frontends to execve(), all execution
+#  will be logged).  Useful for shell-servers that like to keep track
+#  of their users.  If the sysctl option is enabled, a sysctl option with
+#  name "exec_logging" is created.
+#  WARNING: This option when enabled will produce a LOT of logs, especially
+#  on an active system.
+kernel.grsecurity.exec_logging = 0				
+
+#  If you say Y here, all attempts to overstep resource limits will
+#  be logged with the resource name, the requested size, and the current
+#  limit.  It is highly recommended that you say Y here.  If the sysctl
+#  option is enabled, a sysctl option with name "resource_logging" is
+#  created.  If the RBAC system is enabled, the sysctl value is ignored.
+#kernel.grsecurity.resource_logging = 1
+kernel.grsecurity.resource_logging = 0
+
+#  If you say Y here, all executions inside a chroot jail will be logged
+#  to syslog.  This can cause a large amount of logs if certain
+#  applications (eg. djb's daemontools) are installed on the system, and
+#  is therefore left as an option.  If the sysctl option is enabled, a
+#  sysctl option with name "chroot_execlog" is created.
+kernel.grsecurity.chroot_execlog = 0	
+
+#  If you say Y here, all attempts to attach to a process via ptrace
+#  will be logged.  If the sysctl option is enabled, a sysctl option
+#  with name "audit_ptrace" is created.
+#kernel.grsecurity.audit_ptrace = 1
+kernel.grsecurity.audit_ptrace = 0
+
+#  If you say Y here, all attempts to attach to a process via ptrace
+#  will be logged.  If the sysctl option is enabled, a sysctl option
+#  with name "audit_ptrace" is created.
+kernel.grsecurity.audit_chdir = 0				
+
+#  If you say Y here, all mounts and unmounts will be logged.  If the
+#  sysctl option is enabled, a sysctl option with name "audit_mount" is
+#  created.
+#kernel.grsecurity.audit_mount = 1
+kernel.grsecurity.audit_mount = 0
+
+#  If you say Y here, certain important signals will be logged, such as
+#  SIGSEGV, which will as a result inform you of when a error in a program
+#  occurred, which in some cases could mean a possible exploit attempt.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "signal_logging" is created.
+kernel.grsecurity.signal_logging = 0
+
+#  If you say Y here, all failed fork() attempts will be logged.
+#  This could suggest a fork bomb, or someone attempting to overstep
+#  their process limit.  If the sysctl option is enabled, a sysctl option
+#  with name "forkfail_logging" is created.
+#kernel.grsecurity.forkfail_logging = 1
+kernel.grsecurity.forkfail_logging = 0
+
+#  If you say Y here, any changes of the system clock will be logged.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "timechange_logging" is created.
+#kernel.grsecurity.timechange_logging = 1
+
+#  if you say Y here, calls to mmap() and mprotect() with explicit
+#  usage of PROT_WRITE and PROT_EXEC together will be logged when
+#  denied by the PAX_MPROTECT feature.  This feature will also
+#  log other problematic scenarios that can occur when PAX_MPROTECT
+#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the 
+#  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
+#  is created.
+#kernel.grsecurity.rwxmap_logging = 1
+
+#
+# Executable Protections
+#
+
 
+#  if you say Y here, non-root users will not be able to use dmesg(8)
+#  to view the contents of the kernel's circular log buffer.
+#  The kernel's log buffer often contains kernel addresses and other
+#  identifying information useful to an attacker in fingerprinting a
+#  system for a targeted exploit.
+#  If the sysctl option is enabled, a sysctl option with name "dmesg" is
+#  created.
+kernel.grsecurity.dmesg = 1
+
+# Hide symbol addresses in /proc/kallsyms
+kernel.kptr_restrict = 1
+
+#  If you say Y here, TTY sniffers and other malicious monitoring
+#  programs implemented through ptrace will be defeated.  If you
+#  have been using the RBAC system, this option has already been
+#  enabled for several years for all users, with the ability to make
+#  fine-grained exceptions.
+#  
+#  This option only affects the ability of non-root users to ptrace
+#  processes that are not a descendent of the ptracing process.
+#  This means that strace ./binary and gdb ./binary will still work,
+#  but attaching to arbitrary processes will not.  If the sysctl
+#  option is enabled, a sysctl option with name "harden_ptrace" is
+#  created.
+kernel.grsecurity.harden_ptrace = 1
+
+#  If you say Y here, unprivileged users will not be able to ptrace unreadable
+#  binaries.  This option is useful in environments that
+#  remove the read bits (e.g. file mode 4711) from suid binaries to
+#  prevent infoleaking of their contents.  This option adds
+#  consistency to the use of that file mode, as the binary could normally
+#  be read out when run without privileges while ptracing.
+#  
+#  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
+#  is created.
+kernel.grsecurity.ptrace_readexec = 1
+
+#  If you say Y here, a change from a root uid to a non-root uid
+#  in a multithreaded application will cause the resulting uids,
+#  gids, supplementary groups, and capabilities in that thread
+#  to be propagated to the other threads of the process.  In most
+#  cases this is unnecessary, as glibc will emulate this behavior
+#  on behalf of the application.  Other libcs do not act in the
+#  same way, allowing the other threads of the process to continue
+#  running with root privileges.  If the sysctl option is enabled,
+#  a sysctl option with name "consistent_setxid" is created.
+#kernel.grsecurity.consistent_setxid = 1
+
+#  If you say Y here, access to overly-permissive IPC objects (shared
+#  memory, message queues, and semaphores) will be denied for processes
+#  given the following criteria beyond normal permission checks:
+#  1) If the IPC object is world-accessible and the euid doesn't match
+#     that of the creator or current uid for the IPC object
+#  2) If the IPC object is group-accessible and the egid doesn't
+#     match that of the creator or current gid for the IPC object
+#  It's a common error to grant too much permission to these objects,
+#  with impact ranging from denial of service and information leaking to
+#  privilege escalation.  This feature was developed in response to
+#  research by Tim Brown:
+#  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+#  who found hundreds of such insecure usages.  Processes with
+#  CAP_IPC_OWNER are still permitted to access these IPC objects.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "harden_ipc" is created.
+kernel.grsecurity.harden_ipc = 1
+
+#  If you say Y here, you will be able to choose a gid to add to the
+#  supplementary groups of users you want to mark as "untrusted."
+#  These users will not be able to execute any files that are not in
+#  root-owned directories writable only by root.  If the sysctl option
+#  is enabled, a sysctl option with name "tpe" is created.
+kernel.grsecurity.tpe = 1
+kernel.grsecurity.tpe_gid = 101
+
+#  If you say Y here, the group you specify in the TPE configuration will
+#  decide what group TPE restrictions will be *disabled* for.  This
+#  option is useful if you want TPE restrictions to be applied to most
+#  users on the system.  If the sysctl option is enabled, a sysctl option
+#  with name "tpe_invert" is created.  Unlike other sysctl options, this
+#  entry will default to on for backward-compatibility.
+kernel.grsecurity.tpe_invert = 1
+
+#  If you say Y here, all non-root users will be covered under
+#  a weaker TPE restriction.  This is separate from, and in addition to,
+#  the main TPE options that you have selected elsewhere.  Thus, if a
+#  "trusted" GID is chosen, this restriction applies to even that GID.
+#  Under this restriction, all non-root users will only be allowed to
+#  execute files in directories they own that are not group or
+#  world-writable, or in directories owned by root and writable only by
+#  root.  If the sysctl option is enabled, a sysctl option with name
+#  "tpe_restrict_all" is created.
+kernel.grsecurity.tpe_restrict_all = 0
+
+
+#kernel.grsecurity.harden_tty = 1
+#
+# Network Protections
+#
+
+# Increase Linux auto tuning TCP buffer limits
+# min, default, and max number of bytes to use
+# set max to at least 4MB, or higher if you use very high BDP paths
+# Tcp Windows etc
+net.core.rmem_max = 8388608
+net.core.wmem_max = 8388608
+net.core.netdev_max_backlog = 5000
+net.ipv4.tcp_window_scaling = 1
+
+# Both ports linux-blob and linux-libre don't build with ipv6
 # Disable ipv6
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.lo.disable_ipv6 = 1
 
 # Tuen IPv6
-net.ipv6.conf.default.router_solicitations = 0
-net.ipv6.conf.default.accept_ra_rtr_pref = 0
-net.ipv6.conf.default.accept_ra_pinfo = 0
-net.ipv6.conf.default.accept_ra_defrtr = 0
-net.ipv6.conf.default.autoconf = 0
-net.ipv6.conf.default.dad_transmits = 0
-net.ipv6.conf.default.max_addresses = 0
+#net.ipv6.conf.default.router_solicitations = 0
+#net.ipv6.conf.default.accept_ra_rtr_pref = 0
+#net.ipv6.conf.default.accept_ra_pinfo = 0
+#net.ipv6.conf.default.accept_ra_defrtr = 0
+#net.ipv6.conf.default.autoconf = 0
+#net.ipv6.conf.default.dad_transmits = 0
+#net.ipv6.conf.default.max_addresses = 0
 
 # Avoid a smurf attack
 net.ipv4.icmp_echo_ignore_broadcasts = 1
@@ -56,8 +456,8 @@ net.ipv4.conf.default.accept_source_route = 0
 ## protects from attackers that are using ip spoofing methods to do harm
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
-net.ipv6.conf.default.rp_filter = 1
-net.ipv6.conf.all.rp_filter = 1
+#net.ipv6.conf.default.rp_filter = 1
+#net.ipv6.conf.all.rp_filter = 1
 
 # Make sure no one can alter the routing tables
 net.ipv4.conf.all.accept_redirects = 0
@@ -70,18 +470,6 @@ net.ipv4.ip_forward = 1
 net.ipv4.conf.all.send_redirects = 1
 net.ipv4.conf.default.send_redirects = 1
 
-kernel.shmmax = 500000000
-# Turn on execshild
-kernel.exec-shield = 1
-kernel.randomize_va_space = 1
-
-# Optimization for port usefor LBs
-# Increase system file descriptor limit
-fs.file-max = 65535
-
-# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
-kernel.pid_max = 65536
-
 # Increase system IP port limits
 net.ipv4.ip_local_port_range = 2000 65000
 
@@ -89,25 +477,99 @@ net.ipv4.ip_local_port_range = 2000 65000
 net.ipv4.tcp_rmem = 4096 87380 8388608
 net.ipv4.tcp_wmem = 4096 87380 8388608
 
-# Increase Linux auto tuning TCP buffer limits
-# min, default, and max number of bytes to use
-# set max to at least 4MB, or higher if you use very high BDP paths
-# Tcp Windows etc
-net.core.rmem_max = 8388608
-net.core.wmem_max = 8388608
-net.core.netdev_max_backlog = 5000
-net.ipv4.tcp_window_scaling = 1
 
-# Grsecurity stuff
+#  If you say Y here, neither TCP resets nor ICMP
+#  destination-unreachable packets will be sent in response to packets
+#  sent to ports for which no associated listening process exists.
+#  This feature supports both IPV4 and IPV6 and exempts the 
+#  loopback interface from blackholing.  Enabling this feature 
+#  makes a host more resilient to DoS attacks and reduces network
+#  visibility against scanners.
+#  
+#  The blackhole feature as-implemented is equivalent to the FreeBSD
+#  blackhole feature, as it prevents RST responses to all packets, not
+#  just SYNs.  Under most application behavior this causes no
+#  problems, but applications (like haproxy) may not close certain
+#  connections in a way that cleanly terminates them on the remote
+#  end, leaving the remote host in LAST_ACK state.  Because of this
+#  side-effect and to prevent intentional LAST_ACK DoSes, this
+#  feature also adds automatic mitigation against such attacks.
+#  The mitigation drastically reduces the amount of time a socket
+#  can spend in LAST_ACK state.  If you're using haproxy and not
+#  all servers it connects to have this option enabled, consider
+#  disabling this feature on the haproxy host.
+#  
+#  If the sysctl option is enabled, two sysctl options with names
+#  "ip_blackhole" and "lastack_retries" will be created.
+#  While "ip_blackhole" takes the standard zero/non-zero on/off
+#  toggle, "lastack_retries" uses the same kinds of values as
+#  "tcp_retries1" and "tcp_retries2".  The default value of 4
+#  prevents a socket from lasting more than 45 seconds in LAST_ACK
+#  state.
+#kernel.grsecurity.ip_blackhole = 1
+#kernel.grsecurity.lastack_retries = 4
+
+#  If you say Y here, you will be able to choose a GID of whose users will
+#  be unable to connect to other hosts from your machine or run server
+#  applications from your machine.  If the sysctl option is enabled, a
+#  sysctl option with name "socket_all" is created.
+#kernel.grsecurity.socket_all = 1
+
+#  Here you can choose the GID to disable socket access for. Remember to
+#  add the users you want socket access disabled for to the GID
+#  specified here.  If the sysctl option is enabled, a sysctl option
+#  with name "socket_all_gid" is created.
+#kernel.grsecurity.socket_all_gid = 202
+
+#  If you say Y here, you will be able to choose a GID of whose users will
+#  be unable to connect to other hosts from your machine, but will be
+#  able to run servers.  If this option is enabled, all users in the group
+#  you specify will have to use passive mode when initiating ftp transfers
+#  from the shell on your machine.  If the sysctl option is enabled, a
+#  sysctl option with name "socket_client" is created.
+#kernel.grsecurity.socket_client = 1
+
+#  Here you can choose the GID to disable client socket access for.
+#  Remember to add the users you want client socket access disabled for to
+#  the GID specified here.  If the sysctl option is enabled, a sysctl
+#  option with name "socket_client_gid" is created.
+#kernel.grsecurity.socket_client_gid = 203
+
+#  If you say Y here, you will be able to choose a GID of whose users will
+#  be unable to connect to other hosts from your machine, but will be
+#  able to run servers.  If this option is enabled, all users in the group
+#  you specify will have to use passive mode when initiating ftp transfers
+#  from the shell on your machine.  If the sysctl option is enabled, a
+#  sysctl option with name "socket_client" is created.
+#kernel.grsecurity.socket_server = 1
+
+#  Here you can choose the GID to disable server socket access for.
+#  Remember to add the users you want server socket access disabled for to
+#  the GID specified here.  If the sysctl option is enabled, a sysctl
+#  option with name "socket_server_gid" is created.
+#kernel.grsecurity.socket_server_gid = 204
+
+#
+# Physical Protections
+#
+
+#  If you say Y here, a new sysctl option with name "deny_new_usb"
+#  will be created.  Setting its value to 1 will prevent any new
+#  USB devices from being recognized by the OS.  Any attempted USB
+#  device insertion will be logged.  This option is intended to be
+#  used against custom USB devices designed to exploit vulnerabilities
+#  in various USB device drivers.
+#  
+#  For greatest effectiveness, this sysctl should be set after any
+#  relevant init scripts.  This option is safe to enable in distros
+#  as each user can choose whether or not to toggle the sysctl.
+#kernel.grsecurity.deny_new_usb = 0
+
+#
+# Restrict grsec sysctl changes after this was set
+#
+#kernel.grsecurity.grsec_lock = 1
 
-# cant chroot to outside chroot used to break chroot
-kernel.grsecurity.chroot_deny_chroot    = 1
-# function related to filesystems used to exploit
-kernel.grsecurity.chroot_deny_pivot     = 1
-# enforce current directory to chroot
-kernel.grsecurity.chroot_enforce_chdir  = 1
-# cant chmod inside chroot used to break chroot
-kernel.grsecurity.chroot_deny_chmod     = 0
 
 
 # End of file
diff --git a/core/configure.html b/core/configure.html
index ffcb0f7..1ca655f 100644
--- a/core/configure.html
+++ b/core/configure.html
@@ -215,7 +215,7 @@
         target partition,
         blkid list all while vol_id --uuid /dev/sdb1 returns
         only uuid. Add all block ids to the end of file
-        /etc/fstab
+        /etc/fstab;
         
      
 
         
      @@ -223,27 +223,40 @@
         
      
 
         
      Read Securing mount points,
-        and edit /etc/fstab according to your disk layout.
      
+        and edit /etc/fstab according to your disk layout. Blocks with uuid will later be created at lvm
      
 
         
               #
         # /etc/fstab: static file system information
         #
         # <file system>        <dir>     <type>    <options>                        <dump> <pass>
-        /dev/sda4 on / type ext4 (rw,relatime,data=ordered)
-        /dev/sda3 on /boot type ext4 (rw,relatime,data=ordered)
-        /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
-        /dev/sda5 on /var type ext4 (rw,relatime,data=ordered)
-        /dev/sda6 on /usr type ext4 (rw,relatime,data=ordered)
-        /dev/sda8 on /home type ext4 (rw,relatime,data=ordered)
-
-        devtmpfs on /dev type devtmpfs (rw,nosuid,noatime,size=8192k,nr_inodes=16384,mode=755)
-        devpts on /dev/pts type devpts (rw,relatime,mode=600)
-        shm on /dev/shm type tmpfs (rw,relatime)
-        proc on /proc type proc (rw,relatime)
-        sysfs on /sys type sysfs (rw,relatime)
-
-        pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0    0
+
+        #/dev/#EXT4FS_ROOT#    /         ext4      defaults                         0      1
+        #/dev/#BTRFS_ROOT#     /         btrfs     defaults                         0      0
+        #/dev/#XFS_ROOT#       /         xfs       defaults                         0      0
+        #/dev/#SWAP#           swap      swap      defaults                         0      0
+        #/dev/#EXT4FS_HOME#    /home     ext4      defaults                         0      2
+        #/dev/#BTRFS_HOME#     /home     btrfs     defaults                         0      0
+        #/dev/#XFS_HOME#       /home     xfs       defaults                         0      0
+        #/dev/cdrom            /cdrom    iso9660   ro,user,noauto,unhide            0      0
+        #/dev/dvd              /dvd      udf       ro,user,noauto,unhide            0      0
+        #/dev/floppy/0         /floppy   vfat      user,noauto,unhide               0      0
+        #tmp                   /tmp      tmpfs     defaults                         0      0
+        #shm                   /dev/shm  tmpfs     defaults                         0      0
+        #usb                   /proc/bus/usb usbfs defaults                         0      0
+
+        /dev/sda3               / 		ext4	defaults,noatime,ro				0	1
+        devpts                  /dev/pts	devpts	noexec,nosuid,gid=tty,mode=0620			0	0
+        /dev/sda2               /boot	ext4	defaults,ro,noatime     		  		0	0
+        /dev/sda1               /boot/efi	vfat	ro,noauto,umask=0077      			0	0
+        /dev/sda4               /var		ext4	defaults,nodev,noexec,nosuid,errors=remount-ro  0	0
+        /dev/sda5               /usr		ext4	defaults,ro,nodev,errors=remount-ro		0	0
+
+        UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089  /usr/ports	ext4	        defaults,ro,nodev,errors=remount-ro     0	0
+        pkgmk                                      /usr/ports/work tmpfs        size=30G,gid=101,uid=100,defaults       0       0
+        UUID=36e9e1d5-8356-451e-a301-81098b9a15ea  /srv		ext4	        defaults,nodev,errors=remount-ro	0	0
+        UUID=cd15196a-69f1-4fb4-9730-a384c62add91  /home        ext4            defaults,nodev,nosuid,errors=remount-ro	0	0
+
         # End of file
         
      
 
diff --git a/core/dash.html b/core/dash.html
index 18045e5..ed6dbab 100644
--- a/core/dash.html
+++ b/core/dash.html
@@ -20,7 +20,7 @@
 
         Core OS Index
         
      This is part of the c9 Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file Gnu Free Documentation License
         for copying conditions.
      
diff --git a/core/exim.html b/core/exim.html
index c4b3c95..c1fd494 100644
--- a/core/exim.html
+++ b/core/exim.html
@@ -216,7 +216,7 @@
         Core OS Index
         
      
         This is part of the c9 Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file Gnu Free Documentation License
         for copying conditions.
      
diff --git a/core/index.html b/core/index.html
index bc8dad5..abff93d 100644
--- a/core/index.html
+++ b/core/index.html
@@ -59,8 +59,7 @@
 
             
    • 1.4. Prepare for reboot
                 
@@ -70,32 +69,33 @@
         
      2. System Administration
      
 
         
        
-            
      • 2.1. Network
+
+            
      • 2.1. Linux Kernel
                 
             
        • 
 
-            
      • 2.2. Package Management
+            
      • 2.2. Network
                 
             
        • 
 
-            
      • 2.3. Linux Kernel
+            
      • 2.3. Package Management
                 
             
        • 
 
diff --git a/core/linux.html b/core/linux.html
index 53fc304..0304884 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -2,12 +2,12 @@
 
     
         
-        2.3. Kernel Linux
+        2.1. Kernel Linux
     
     
 
         Core OS Index
-        
        2.3. Kernel Linux
        
+        
        2.1. Kernel Linux
        
 
         
        Linux is a monolith kernel, a big one ! Visit
         Linux Libre
@@ -15,58 +15,41 @@
         Linux Non-Libre pages for more links
         and information.
        
 
-        
        2.3.1. Port Linux Libre
        
+        
        2.1.1. Port Linux Libre
        
 
-        
        Collection c9-ports have linux-libre port with default crux
-        configuration, this port depends on dracut and grub but is not
-        required to install them. To build and install this port using
-        prt-get;
        
+        
        Default crux configuration can be obtained from iso, this port depends
+        on dracut and grub but is not required to install them. To build and install
+        this port using prt-get;
        
 
         
                 $ prt-get depinst linux-libre
         
        
 
-        
        2.3.2. Manual Install
        
+        
        2.1.2. Manual Install
        
 
         
        Download Linux Source from
         linux libre,
         or using the port system;
        
 
-        
        -        $ cd /usr/ports/c9-ports/linux-libre
-        $ sudo -u pkgmk pkgmk -do
-        
        
-
-        
        Crux iso comes with config that is used in this port, is
-        a good starting point to personalize according to your needs;
        
+        
        Crux iso comes with config that is more generic than used on linux-libre
+        port, crux default is a good starting point to personalize according to your
+        needs (build default, detect modules needed);
        
 
         
                 $ mkdir ~/kernel
         $ cd ~/kernel
-        $ cp /usr/ports/c9-ports/linux-libre/linux-4.1.32.defconfig .
-        $ cp /usr/ports/distfiles/linux-libre-4.1.32-gnu.tar.xz .
-        $ tar xf linux-libre-4.1.32-gnu.tar.xz
-        $ cp linux-4.1.32.defconfig linux-4.1.32/.config
+        $ cp /usr/ports/distfiles/linux-libre-4.9.11-gnu.tar.xz .
+        $ tar xf linux-libre-4.9.11-gnu.tar.xz
+        $ cd linux-4.9.11/
         
        
 
-        
        If you like graysky2 kernel_gcc_patch (download master) that adds more cpu options (FLAGS native)
        
-
-        
        -        $ cp /usr/ports/distfiles/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cpu_optimizations.patch
-        
        
-
-        
        -        $ cd ~/linux-4.1.32/
-        $ patch -p1 < ../cpu_optimizations.patch
-        patching file arch/x86/include/asm/module.h
-        patching file arch/x86/Kconfig.cpu
-        patching file arch/x86/Makefile
-        Hunk #1 succeeded at 85 with fuzz 1 (offset -9 lines).
-        patching file arch/x86/Makefile_32.cpu
-        $
-        
        
-
-        
        Read Gresecurity.
        
+        
        Grsecurity patch for
+        4.9.11.
+        Gcc graysky2 kernel_gcc_patch (master.zip)
+        that adds more cpu options (FLAGS native).
+        Check Pkgfile for instructions and
+        more patches used on linux-libre port. Read patching your kernel with
+        gresecurity.
        
 
         
        Configure kernel according to your current kernel
         hardware support;
        
@@ -77,11 +60,10 @@
 
         
        This will disable all unloaded modules,
         you can use localyesconfig mark all loaded
-        to be built in the kernel.
        
-
-        
        To get information about your hardware,
-        for example information about which graphic
-        module (driver) is in use as root run;
        
+        to be built in the kernel. To get information
+        about your hardware, for example information
+        about which graphic module (driver) is in use
+        as root run;
        
 
         
                 # lspci -nnk | grep -i vga -A3 | grep 'in use'
@@ -95,16 +77,16 @@
         
        
 
         
        -        $ make -j $(nproc) all
+        $ make -j $(nproc) bzImage modules
         $ sudo make modules_install
-        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.1.32-gnu_crux
-        $ sudo cp System.map /boot/System.map-4.1.32-gnu_crux
+        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.11-gnu
+        $ sudo cp System.map /boot/System.map-4.9.11-gnu
         
        
 
         
        Create dracut initramfs;
        
 
         
        -        $sudo dracut --fstab /boot/initramfs-4.1.32-gnu_crux.img 4.1.32-gnu_crux
+        $sudo dracut --fstab /boot/initramfs-4.9.11-gnu.img 4.9.11-gnu
         
        
 
         
        Update grub;
        
@@ -113,17 +95,609 @@
         # grub-mkconfig -o /boot/grub/grub.cfg
         
      • 
 
-        
      2.3.3. Manual Remove
      
+        
      2.1.3. Manual Remove
      
 
         
      -        $ sudo rm -r /lib/modules/4.1.12-gnu_crux
-        $ sudo rm /boot/vmlinuz-4.1.12-gnu_crux
-        $ sudo rm /boot/System.map-4.1.12-gnu_crux
+        $ sudo rm -r /lib/modules/4.9.11-gnu
+        $ sudo rm /boot/vmlinuz-4.9.11-gnu
+        $ sudo rm /boot/System.map-4.9.11-gnu
         
      
 
+        
      2.1.4. Sysctl
      
+
+        
      Sysctl references
+        Arch TCP/IP stack hardening,
+        Cyberciti Nginx Hardning,
+        Cyberciti Security Hardening,
+        Grsecurity and PaX Configuration.
      
+
+        
      Since kernels on c9-ports have PaX
+        and grsecurity,
+        /etc/sysctl.conf can have follow
+        values;
      
+
+        
      +        #
+        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
+        #
+
+        kernel.printk = 15 1 1 4
+        kernel.randomize_va_space = 1
+        kernel.shmmax = 500000000
+        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+        kernel.pid_max = 65536
+
+        #
+        # Memory Protections
+        #
+
+        #  If you say Y here, all ioperm and iopl calls will return an error.
+        #  Ioperm and iopl can be used to modify the running kernel.
+        #  Unfortunately, some programs need this access to operate properly,
+        #  the most notable of which are XFree86 and hwclock.  hwclock can be
+        #  remedied by having RTC support in the kernel, so real-time
+        #  clock support is enabled if this option is enabled, to ensure
+        #  that hwclock operates correctly.
+        #
+        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
+        #  you may not be able to boot into a graphical environment with this
+        #  option enabled.  In this case, you should use the RBAC system instead.
+        #kernel.grsecurity.disable_priv_io = 1
+        kernel.grsecurity.disable_priv_io = 0
+
+        #  If you say Y here, attempts to bruteforce exploits against forking
+        #  daemons such as apache or sshd, as well as against suid/sgid binaries
+        #  will be deterred.  When a child of a forking daemon is killed by PaX
+        #  or crashes due to an illegal instruction or other suspicious signal,
+        #  the parent process will be delayed 30 seconds upon every subsequent
+        #  fork until the administrator is able to assess the situation and
+        #  restart the daemon.
+        #  In the suid/sgid case, the attempt is logged, the user has all their
+        #  existing instances of the suid/sgid binary terminated and will
+        #  be unable to execute any suid/sgid binaries for 15 minutes.
+        #
+        #  It is recommended that you also enable signal logging in the auditing
+        #  section so that logs are generated when a process triggers a suspicious
+        #  signal.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "deter_bruteforce" is created.
+        #kernel.grsecurity.deter_bruteforce = 1
+
+        #
+        # Filesystem Protections
+        #
+
+        # Optimization for port usefor LBs
+        # Increase system file descriptor limit
+        fs.file-max = 65535
+
+        #  If you say Y here, /tmp race exploits will be prevented, since users
+        #  will no longer be able to follow symlinks owned by other users in
+        #  world-writable +t directories (e.g. /tmp), unless the owner of the
+        #  symlink is the owner of the directory. users will also not be
+        #  able to hardlink to files they do not own.  If the sysctl option is
+        #  enabled, a sysctl option with name "linking_restrictions" is created.
+        kernel.grsecurity.linking_restrictions = 1
+
+
+        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
+        #  that prevents it from being used as a security feature.  As Apache
+        #  verifies the symlink by performing a stat() against the target of
+        #  the symlink before it is followed, an attacker can setup a symlink
+        #  to point to a same-owned file, then replace the symlink with one
+        #  that targets another user's file just after Apache "validates" the
+        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+        #  will be in place for the group you specify. If the sysctl option
+        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
+        #  created.
+        #kernel.grsecurity.enforce_symlinksifowner = 1
+        #kernel.grsecurity.symlinkown_gid = 33
+
+        #  if you say Y here, users will not be able to write to FIFOs they don't
+        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
+        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
+        #  option is enabled, a sysctl option with name "fifo_restrictions" is
+        #  created.
+        #kernel.grsecurity.fifo_restrictions = 1
+
+        #  If you say Y here, a sysctl option with name "romount_protect" will
+        #  be created.  By setting this option to 1 at runtime, filesystems
+        #  will be protected in the following ways:
+        #  * No new writable mounts will be allowed
+        #  * Existing read-only mounts won't be able to be remounted read/write
+        #  * Write operations will be denied on all block devices
+        #  This option acts independently of grsec_lock: once it is set to 1,
+        #  it cannot be turned off.  Therefore, please be mindful of the resulting
+        #  behavior if this option is enabled in an init script on a read-only
+        #  filesystem.
+        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
+        #  and GRKERNSEC_IO should be enabled and module loading disabled via
+        #  config or at runtime.
+        #  This feature is mainly intended for secure embedded systems.
+        #kernel.grsecurity.romount_protect = 0
+
+        #  if you say Y here, the capabilities on all processes within a
+        #  chroot jail will be lowered to stop module insertion, raw i/o,
+        #  system and net admin tasks, rebooting the system, modifying immutable
+        #  files, modifying IPC owned by another, and changing the system time.
+        #  This is left an option because it can break some apps.  Disable this
+        #  if your chrooted apps are having problems performing those kinds of
+        #  tasks.  If the sysctl option is enabled, a sysctl option with
+        #  name "chroot_caps" is created.
+        kernel.grsecurity.chroot_caps = 1
+
+        #kernel.grsecurity.chroot_deny_bad_rename = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to chmod
+        #  or fchmod files to make them have suid or sgid bits.  This protects
+        #  against another published method of breaking a chroot.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+        #  created.
+        kernel.grsecurity.chroot_deny_chmod     = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to chroot
+        #  again outside the chroot.  This is a widely used method of breaking
+        #  out of a chroot jail and should not be allowed.  If the sysctl
+        #  option is enabled, a sysctl option with name
+        #  "chroot_deny_chroot" is created.
+        kernel.grsecurity.chroot_deny_chroot    = 1
+
+        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
+        #  to a file descriptor of the chrooting process that points to a directory
+        #  outside the filesystem will be stopped.  If the sysctl option
+        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
+        kernel.grsecurity.chroot_deny_fchdir = 1
+
+        #  If you say Y here, processes inside a chroot will not be allowed to
+        #  mknod.  The problem with using mknod inside a chroot is that it
+        #  would allow an attacker to create a device entry that is the same
+        #  as one on the physical root of your system, which could range from
+        #  anything from the console device to a device for your harddrive (which
+        #  they could then use to wipe the drive or steal data).  It is recommended
+        #  that you say Y here, unless you run into software incompatibilities.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "chroot_deny_mknod" is created.
+        kernel.grsecurity.chroot_deny_mknod = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  mount or remount filesystems.  If the sysctl option is enabled, a
+        #  sysctl option with name "chroot_deny_mount" is created.
+        kernel.grsecurity.chroot_deny_mount = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to use
+        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
+        #  works similar to chroot in that it changes the root filesystem.  This
+        #  function could be misused in a chrooted process to attempt to break out
+        #  of the chroot, and therefore should not be allowed.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
+        #  created.
+        kernel.grsecurity.chroot_deny_pivot     = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to attach
+        #  to shared memory segments that were created outside of the chroot jail.
+        #  It is recommended that you say Y here.  If the sysctl option is enabled,
+        #  a sysctl option with name "chroot_deny_shmat" is created.
+        kernel.grsecurity.chroot_deny_shmat = 1
+
+        #  If you say Y here, an attacker in a chroot will not be able to
+        #  write to sysctl entries, either by sysctl(2) or through a /proc
+        #  interface.  It is strongly recommended that you say Y here. If the
+        #  sysctl option is enabled, a sysctl option with name
+        #  "chroot_deny_sysctl" is created.
+        kernel.grsecurity.chroot_deny_sysctl = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  connect to abstract (meaning not belonging to a filesystem) Unix
+        #  domain sockets that were bound outside of a chroot.  It is recommended
+        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
+        #  with name "chroot_deny_unix" is created.
+        kernel.grsecurity.chroot_deny_unix = 1
+
+        #  If you say Y here, the current working directory of all newly-chrooted
+        #  applications will be set to the the root directory of the chroot.
+        #  The man page on chroot(2) states:
+        #  Note that usually chhroot does not change  the  current  working
+        #  directory,  so  that `.' can be outside the tree rooted at
+        #  `/'.  In particular, the  super-user  can  escape  from  a
+        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
+        #
+        #  It is recommended that you say Y here, since it's not known to break
+        #  any software.  If the sysctl option is enabled, a sysctl option with
+        #  name "chroot_enforce_chdir" is created.
+        kernel.grsecurity.chroot_enforce_chdir  = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
+        #  getsid, or view any process outside of the chroot.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_findtask" is
+        #  created.
+        kernel.grsecurity.chroot_findtask = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to raise
+        #  the priority of processes in the chroot, or alter the priority of
+        #  processes outside the chroot.  This provides more security than simply
+        #  removing CAP_SYS_NICE from the process' capability set.  If the
+        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+        #  is created.
+        kernel.grsecurity.chroot_restrict_nice = 1
+
+        #
+        # Kernel Auditing
+        #
+
+        #  If you say Y here, the exec and chdir logging features will only operate
+        #  on a group you specify.  This option is recommended if you only want to
+        #  watch certain users instead of having a large amount of logs from the
+        #  entire system.  If the sysctl option is enabled, a sysctl option with
+        #  name "audit_group" is created.
+        kernel.grsecurity.audit_group = 0
+
+        #  If you say Y here, the exec and chdir logging features will only operate
+        #  on a group you specify.  This option is recommended if you only want to
+        #  watch certain users instead of having a large amount of logs from the
+        #  entire system.  If the sysctl option is enabled, a sysctl option with
+        #  name "audit_group" is created.
+        #kernel.grsecurity.audit_gid = 201
+
+        #  If you say Y here, all execve() calls will be logged (since the
+        #  other exec*() calls are frontends to execve(), all execution
+        #  will be logged).  Useful for shell-servers that like to keep track
+        #  of their users.  If the sysctl option is enabled, a sysctl option with
+        #  name "exec_logging" is created.
+        #  WARNING: This option when enabled will produce a LOT of logs, especially
+        #  on an active system.
+        kernel.grsecurity.exec_logging = 0
+
+        #  If you say Y here, all attempts to overstep resource limits will
+        #  be logged with the resource name, the requested size, and the current
+        #  limit.  It is highly recommended that you say Y here.  If the sysctl
+        #  option is enabled, a sysctl option with name "resource_logging" is
+        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
+        #kernel.grsecurity.resource_logging = 1
+        kernel.grsecurity.resource_logging = 0
+
+        #  If you say Y here, all executions inside a chroot jail will be logged
+        #  to syslog.  This can cause a large amount of logs if certain
+        #  applications (eg. djb's daemontools) are installed on the system, and
+        #  is therefore left as an option.  If the sysctl option is enabled, a
+        #  sysctl option with name "chroot_execlog" is created.
+        kernel.grsecurity.chroot_execlog = 0
+
+        #  If you say Y here, all attempts to attach to a process via ptrace
+        #  will be logged.  If the sysctl option is enabled, a sysctl option
+        #  with name "audit_ptrace" is created.
+        #kernel.grsecurity.audit_ptrace = 1
+        kernel.grsecurity.audit_ptrace = 0
+
+        #  If you say Y here, all attempts to attach to a process via ptrace
+        #  will be logged.  If the sysctl option is enabled, a sysctl option
+        #  with name "audit_ptrace" is created.
+        kernel.grsecurity.audit_chdir = 0
+
+        #  If you say Y here, all mounts and unmounts will be logged.  If the
+        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
+        #  created.
+        #kernel.grsecurity.audit_mount = 1
+        kernel.grsecurity.audit_mount = 0
+
+        #  If you say Y here, certain important signals will be logged, such as
+        #  SIGSEGV, which will as a result inform you of when a error in a program
+        #  occurred, which in some cases could mean a possible exploit attempt.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "signal_logging" is created.
+        kernel.grsecurity.signal_logging = 0
+
+        #  If you say Y here, all failed fork() attempts will be logged.
+        #  This could suggest a fork bomb, or someone attempting to overstep
+        #  their process limit.  If the sysctl option is enabled, a sysctl option
+        #  with name "forkfail_logging" is created.
+        #kernel.grsecurity.forkfail_logging = 1
+        kernel.grsecurity.forkfail_logging = 0
+
+        #  If you say Y here, any changes of the system clock will be logged.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "timechange_logging" is created.
+        #kernel.grsecurity.timechange_logging = 1
+
+        #  if you say Y here, calls to mmap() and mprotect() with explicit
+        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
+        #  denied by the PAX_MPROTECT feature.  This feature will also
+        #  log other problematic scenarios that can occur when PAX_MPROTECT
+        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
+        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
+        #  is created.
+        #kernel.grsecurity.rwxmap_logging = 1
+
+        #
+        # Executable Protections
+        #
+
+
+        #  if you say Y here, non-root users will not be able to use dmesg(8)
+        #  to view the contents of the kernel's circular log buffer.
+        #  The kernel's log buffer often contains kernel addresses and other
+        #  identifying information useful to an attacker in fingerprinting a
+        #  system for a targeted exploit.
+        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
+        #  created.
+        kernel.grsecurity.dmesg = 1
+
+        # Hide symbol addresses in /proc/kallsyms
+        kernel.kptr_restrict = 1
+
+        #  If you say Y here, TTY sniffers and other malicious monitoring
+        #  programs implemented through ptrace will be defeated.  If you
+        #  have been using the RBAC system, this option has already been
+        #  enabled for several years for all users, with the ability to make
+        #  fine-grained exceptions.
+        #
+        #  This option only affects the ability of non-root users to ptrace
+        #  processes that are not a descendent of the ptracing process.
+        #  This means that strace ./binary and gdb ./binary will still work,
+        #  but attaching to arbitrary processes will not.  If the sysctl
+        #  option is enabled, a sysctl option with name "harden_ptrace" is
+        #  created.
+        kernel.grsecurity.harden_ptrace = 1
+
+        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
+        #  binaries.  This option is useful in environments that
+        #  remove the read bits (e.g. file mode 4711) from suid binaries to
+        #  prevent infoleaking of their contents.  This option adds
+        #  consistency to the use of that file mode, as the binary could normally
+        #  be read out when run without privileges while ptracing.
+        #
+        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
+        #  is created.
+        kernel.grsecurity.ptrace_readexec = 1
+
+        #  If you say Y here, a change from a root uid to a non-root uid
+        #  in a multithreaded application will cause the resulting uids,
+        #  gids, supplementary groups, and capabilities in that thread
+        #  to be propagated to the other threads of the process.  In most
+        #  cases this is unnecessary, as glibc will emulate this behavior
+        #  on behalf of the application.  Other libcs do not act in the
+        #  same way, allowing the other threads of the process to continue
+        #  running with root privileges.  If the sysctl option is enabled,
+        #  a sysctl option with name "consistent_setxid" is created.
+        #kernel.grsecurity.consistent_setxid = 1
+
+        #  If you say Y here, access to overly-permissive IPC objects (shared
+        #  memory, message queues, and semaphores) will be denied for processes
+        #  given the following criteria beyond normal permission checks:
+        #  1) If the IPC object is world-accessible and the euid doesn't match
+        #     that of the creator or current uid for the IPC object
+        #  2) If the IPC object is group-accessible and the egid doesn't
+        #     match that of the creator or current gid for the IPC object
+        #  It's a common error to grant too much permission to these objects,
+        #  with impact ranging from denial of service and information leaking to
+        #  privilege escalation.  This feature was developed in response to
+        #  research by Tim Brown:
+        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+        #  who found hundreds of such insecure usages.  Processes with
+        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "harden_ipc" is created.
+        kernel.grsecurity.harden_ipc = 1
+
+        #  If you say Y here, you will be able to choose a gid to add to the
+        #  supplementary groups of users you want to mark as "untrusted."
+        #  These users will not be able to execute any files that are not in
+        #  root-owned directories writable only by root.  If the sysctl option
+        #  is enabled, a sysctl option with name "tpe" is created.
+        kernel.grsecurity.tpe = 1
+        kernel.grsecurity.tpe_gid = 101
+
+        #  If you say Y here, the group you specify in the TPE configuration will
+        #  decide what group TPE restrictions will be *disabled* for.  This
+        #  option is useful if you want TPE restrictions to be applied to most
+        #  users on the system.  If the sysctl option is enabled, a sysctl option
+        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
+        #  entry will default to on for backward-compatibility.
+        kernel.grsecurity.tpe_invert = 1
+
+        #  If you say Y here, all non-root users will be covered under
+        #  a weaker TPE restriction.  This is separate from, and in addition to,
+        #  the main TPE options that you have selected elsewhere.  Thus, if a
+        #  "trusted" GID is chosen, this restriction applies to even that GID.
+        #  Under this restriction, all non-root users will only be allowed to
+        #  execute files in directories they own that are not group or
+        #  world-writable, or in directories owned by root and writable only by
+        #  root.  If the sysctl option is enabled, a sysctl option with name
+        #  "tpe_restrict_all" is created.
+        kernel.grsecurity.tpe_restrict_all = 0
+
+
+        #kernel.grsecurity.harden_tty = 1
+        #
+        # Network Protections
+        #
+
+        # Increase Linux auto tuning TCP buffer limits
+        # min, default, and max number of bytes to use
+        # set max to at least 4MB, or higher if you use very high BDP paths
+        # Tcp Windows etc
+        net.core.rmem_max = 8388608
+        net.core.wmem_max = 8388608
+        net.core.netdev_max_backlog = 5000
+        net.ipv4.tcp_window_scaling = 1
+
+        # Both ports linux-blob and linux-libre don't build with ipv6
+        # Disable ipv6
+        net.ipv6.conf.all.disable_ipv6 = 1
+        net.ipv6.conf.default.disable_ipv6 = 1
+        net.ipv6.conf.lo.disable_ipv6 = 1
+
+        # Tuen IPv6
+        #net.ipv6.conf.default.router_solicitations = 0
+        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
+        #net.ipv6.conf.default.accept_ra_pinfo = 0
+        #net.ipv6.conf.default.accept_ra_defrtr = 0
+        #net.ipv6.conf.default.autoconf = 0
+        #net.ipv6.conf.default.dad_transmits = 0
+        #net.ipv6.conf.default.max_addresses = 0
+
+        # Avoid a smurf attack
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        # Turn on protection for bad icmp error messages
+        net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+        # Turn on syncookies for SYN flood attack protection
+        net.ipv4.tcp_syncookies = 1
+
+        ## protect against tcp time-wait assassination hazards
+        ## drop RST packets for sockets in the time-wait state
+        ## (not widely supported outside of linux, but conforms to RFC)
+        net.ipv4.tcp_rfc1337 = 1
+
+        ## tcp timestamps
+        ## + protect against wrapping sequence numbers (at gigabit speeds)
+        ## + round trip time calculation implemented in TCP
+        ## - causes extra overhead and allows uptime detection by scanners like nmap
+        ## enable @ gigabit speeds
+        net.ipv4.tcp_timestamps = 0
+        #net.ipv4.tcp_timestamps = 1
+
+        # Turn on and log spoofed, source routed, and redirect packets
+        net.ipv4.conf.all.log_martians = 1
+        net.ipv4.conf.default.log_martians = 1
+
+        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        # No source routed packets here
+        net.ipv4.conf.all.accept_source_route = 0
+        net.ipv4.conf.default.accept_source_route = 0
+
+        ## sets the kernels reverse path filtering mechanism to value 1(on)
+        ## will do source validation of the packet's recieved from all the interfaces on the machine
+        ## protects from attackers that are using ip spoofing methods to do harm
+        net.ipv4.conf.all.rp_filter = 1
+        net.ipv4.conf.default.rp_filter = 1
+        #net.ipv6.conf.default.rp_filter = 1
+        #net.ipv6.conf.all.rp_filter = 1
+
+        # Make sure no one can alter the routing tables
+        net.ipv4.conf.all.accept_redirects = 0
+        net.ipv4.conf.default.accept_redirects = 0
+        net.ipv4.conf.all.secure_redirects = 0
+        net.ipv4.conf.default.secure_redirects = 0
+
+        # Act as a router, necessary for Access Point
+        net.ipv4.ip_forward = 1
+        net.ipv4.conf.all.send_redirects = 1
+        net.ipv4.conf.default.send_redirects = 1
+
+        # Increase system IP port limits
+        net.ipv4.ip_local_port_range = 2000 65000
+
+        # Increase TCP max buffer size setable using setsockopt()
+        net.ipv4.tcp_rmem = 4096 87380 8388608
+        net.ipv4.tcp_wmem = 4096 87380 8388608
+
+
+        #  If you say Y here, neither TCP resets nor ICMP
+        #  destination-unreachable packets will be sent in response to packets
+        #  sent to ports for which no associated listening process exists.
+        #  This feature supports both IPV4 and IPV6 and exempts the
+        #  loopback interface from blackholing.  Enabling this feature
+        #  makes a host more resilient to DoS attacks and reduces network
+        #  visibility against scanners.
+        #
+        #  The blackhole feature as-implemented is equivalent to the FreeBSD
+        #  blackhole feature, as it prevents RST responses to all packets, not
+        #  just SYNs.  Under most application behavior this causes no
+        #  problems, but applications (like haproxy) may not close certain
+        #  connections in a way that cleanly terminates them on the remote
+        #  end, leaving the remote host in LAST_ACK state.  Because of this
+        #  side-effect and to prevent intentional LAST_ACK DoSes, this
+        #  feature also adds automatic mitigation against such attacks.
+        #  The mitigation drastically reduces the amount of time a socket
+        #  can spend in LAST_ACK state.  If you're using haproxy and not
+        #  all servers it connects to have this option enabled, consider
+        #  disabling this feature on the haproxy host.
+        #
+        #  If the sysctl option is enabled, two sysctl options with names
+        #  "ip_blackhole" and "lastack_retries" will be created.
+        #  While "ip_blackhole" takes the standard zero/non-zero on/off
+        #  toggle, "lastack_retries" uses the same kinds of values as
+        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
+        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
+        #  state.
+        #kernel.grsecurity.ip_blackhole = 1
+        #kernel.grsecurity.lastack_retries = 4
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine or run server
+        #  applications from your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_all" is created.
+        #kernel.grsecurity.socket_all = 1
+
+        #  Here you can choose the GID to disable socket access for. Remember to
+        #  add the users you want socket access disabled for to the GID
+        #  specified here.  If the sysctl option is enabled, a sysctl option
+        #  with name "socket_all_gid" is created.
+        #kernel.grsecurity.socket_all_gid = 202
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine, but will be
+        #  able to run servers.  If this option is enabled, all users in the group
+        #  you specify will have to use passive mode when initiating ftp transfers
+        #  from the shell on your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_client" is created.
+        #kernel.grsecurity.socket_client = 1
+
+        #  Here you can choose the GID to disable client socket access for.
+        #  Remember to add the users you want client socket access disabled for to
+        #  the GID specified here.  If the sysctl option is enabled, a sysctl
+        #  option with name "socket_client_gid" is created.
+        #kernel.grsecurity.socket_client_gid = 203
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine, but will be
+        #  able to run servers.  If this option is enabled, all users in the group
+        #  you specify will have to use passive mode when initiating ftp transfers
+        #  from the shell on your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_client" is created.
+        #kernel.grsecurity.socket_server = 1
+
+        #  Here you can choose the GID to disable server socket access for.
+        #  Remember to add the users you want server socket access disabled for to
+        #  the GID specified here.  If the sysctl option is enabled, a sysctl
+        #  option with name "socket_server_gid" is created.
+        #kernel.grsecurity.socket_server_gid = 204
+
+        #
+        # Physical Protections
+        #
+
+        #  If you say Y here, a new sysctl option with name "deny_new_usb"
+        #  will be created.  Setting its value to 1 will prevent any new
+        #  USB devices from being recognized by the OS.  Any attempted USB
+        #  device insertion will be logged.  This option is intended to be
+        #  used against custom USB devices designed to exploit vulnerabilities
+        #  in various USB device drivers.
+        #
+        #  For greatest effectiveness, this sysctl should be set after any
+        #  relevant init scripts.  This option is safe to enable in distros
+        #  as each user can choose whether or not to toggle the sysctl.
+        #kernel.grsecurity.deny_new_usb = 0
+
+        #
+        # Restrict grsec sysctl changes after this was set
+        #
+        #kernel.grsecurity.grsec_lock = 1
+
+
+
+        # End of file
+        
      
+
+
         Core OS Index
         
      This is part of the c9-doc Manual.
-Copyright (C) 2016
+Copyright (C) 2017
 c9 team.
 See the file Gnu Free Documentation License
 for copying conditions.
      
diff --git a/core/network.html b/core/network.html
index c14f3db..ebea495 100644
--- a/core/network.html
+++ b/core/network.html
@@ -49,7 +49,7 @@
         described scripts then proceed to
         update system.
      
 
-        
      2.1.1. Resolver
      
+        
      2.2.1. Resolver
      
 
         
      This example will use
         Chaos Computer Club
@@ -65,7 +65,7 @@
         # chattr +i /etc/resolv.conf
      -

      2.1.2. Static IP

      +

      2.2.2. Static IP

      Current example of /etc/rc.d/net;

      @@ -112,7 +112,7 @@ # ip route add default via ${GW} -

      2.1.3. Iptables

      +

      2.2.3. Iptables

      For more information about iptables read arch wiki. @@ -147,7 +147,7 @@

      -

      2.1.4. Wpa and dhcpd

      +

      2.2.4. Wpa and dhcpd

      There is more information on Wiki Wifi Start Scripts and @@ -165,7 +165,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 -

      2.1.4.1. Wpa Supplicant

      +

      2.2.4.1. Wpa Supplicant

      Configure wpa supplicant edit;

      @@ -195,7 +195,7 @@ init script to auto load wpa configuration and dhcp client.

      -

      2.1.4.2. Wpa Cli

      +

      2.2.4.2. Wpa Cli

               # wpa_cli
@@ -235,137 +235,10 @@
      -

      2.1.5. Sysctl

      - -

      Sysctl references - Arch TCP/IP stack hardening, - Cyberciti Nginx Hardning, - Cyberciti Security Hardening, - edit /etc/sysctl.conf;

      - - 
      -        #
-        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
-        #
-
-        kernel.printk = 1 4 1 7
-
-        # Disable ipv6
-        net.ipv6.conf.all.disable_ipv6 = 1
-        net.ipv6.conf.default.disable_ipv6 = 1
-        net.ipv6.conf.lo.disable_ipv6 = 1
-
-        # Tuen IPv6
-        # net.ipv6.conf.default.router_solicitations = 0
-        # net.ipv6.conf.default.accept_ra_rtr_pref = 0
-        # net.ipv6.conf.default.accept_ra_pinfo = 0
-        # net.ipv6.conf.default.accept_ra_defrtr = 0
-        # net.ipv6.conf.default.autoconf = 0
-        # net.ipv6.conf.default.dad_transmits = 0
-        # net.ipv6.conf.default.max_addresses = 0
-
-        # Avoid a smurf attack
-        net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-        # Turn on protection for bad icmp error messages
-        net.ipv4.icmp_ignore_bogus_error_responses = 1
-
-        # Turn on syncookies for SYN flood attack protection
-        net.ipv4.tcp_syncookies = 1
-
-        ## protect against tcp time-wait assassination hazards
-        ## drop RST packets for sockets in the time-wait state
-        ## (not widely supported outside of linux, but conforms to RFC)
-        net.ipv4.tcp_rfc1337 = 1
-
-        ## tcp timestamps
-        ## + protect against wrapping sequence numbers (at gigabit speeds)
-        ## + round trip time calculation implemented in TCP
-        ## - causes extra overhead and allows uptime detection by scanners like nmap
-        ## enable @ gigabit speeds
-        net.ipv4.tcp_timestamps = 0
-        #net.ipv4.tcp_timestamps = 1
-
-        # Turn on and log spoofed, source routed, and redirect packets
-        net.ipv4.conf.all.log_martians = 1
-        net.ipv4.conf.default.log_martians = 1
-
-        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
-        net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-        # No source routed packets here
-        net.ipv4.conf.all.accept_source_route = 0
-        net.ipv4.conf.default.accept_source_route = 0
-
-        ## sets the kernels reverse path filtering mechanism to value 1(on)
-        ## will do source validation of the packet's recieved from all the interfaces on the machine
-        ## protects from attackers that are using ip spoofing methods to do harm
-        net.ipv4.conf.all.rp_filter = 1
-        net.ipv4.conf.default.rp_filter = 1
-        net.ipv6.conf.default.rp_filter = 1
-        net.ipv6.conf.all.rp_filter = 1
-
-        # Make sure no one can alter the routing tables
-        net.ipv4.conf.all.accept_redirects = 0
-        net.ipv4.conf.default.accept_redirects = 0
-        net.ipv4.conf.all.secure_redirects = 0
-        net.ipv4.conf.default.secure_redirects = 0
-
-        # Don't act as a router
-        net.ipv4.ip_forward = 0
-        net.ipv4.conf.all.send_redirects = 0
-        net.ipv4.conf.default.send_redirects = 0
-
-        kernel.shmmax = 500000000
-        # Turn on execshild
-        kernel.exec-shield = 1
-        kernel.randomize_va_space = 1
-
-        # Optimization for port usefor LBs
-        # Increase system file descriptor limit
-        fs.file-max = 65535
-
-        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
-        kernel.pid_max = 65536
-
-        # Increase system IP port limits
-        net.ipv4.ip_local_port_range = 2000 65000
-
-        # Increase TCP max buffer size setable using setsockopt()
-        net.ipv4.tcp_rmem = 4096 87380 8388608
-        net.ipv4.tcp_wmem = 4096 87380 8388608
-
-        # Increase Linux auto tuning TCP buffer limits
-        # min, default, and max number of bytes to use
-        # set max to at least 4MB, or higher if you use very high BDP paths
-        # Tcp Windows etc
-        net.core.rmem_max = 8388608
-        net.core.wmem_max = 8388608
-        net.core.netdev_max_backlog = 5000
-        net.ipv4.tcp_window_scaling = 1
-
-        # End of file
-
      - -

      Change to act as a router (default of conf/sysctl.conf);

      - - 
      -        # Act as a router, necessary for Access Point
-        net.ipv4.ip_forward = 1
-        net.ipv4.conf.all.send_redirects = 1
-        net.ipv4.conf.default.send_redirects = 1
-
      - -

      Load new settings;

      - - 
      -        # sysctl -p
-
      - Core OS Index

      This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.

      diff --git a/core/package.html b/core/package.html index 475d94b..3c59669 100644 --- a/core/package.html +++ b/core/package.html @@ -2,13 +2,13 @@ - 2.2. Package Management + 2.3. Package Management Core OS Index -

      2.2. Package Management

      +

      2.3. Package Management

      For more information read crux handbook Package management front-end: @@ -57,7 +57,7 @@ $ prt-get depinst prt-utils prt-get-bashcompletion -

      2.2.1. Update System

      +

      2.3.1. Update System

      Before build software get latest version of port collections;

      @@ -87,7 +87,7 @@ $ prt-get update -fr $(revdep) -

      2.2.2. Install port and dependencies

      +

      2.3.2. Install port and dependencies

      Installing using prt-get tool;

      @@ -111,7 +111,7 @@

      If you user pkgmk and pkgadd allways check if README, pre and post instal files exist.

      -

      2.2.3. Ports collections

      +

      2.3.3. Ports collections

      Clone this documentation;

      @@ -146,7 +146,7 @@ $ sudo ports -u 6c37 -

      2.2.4. Show port information

      +

      2.3.4. Show port information

               $ prt-get info port_name
@@ -164,13 +164,13 @@
         $ pkginfo -o filename
      -

      2.2.5. Show port dependencies

      +

      2.3.5. Show port dependencies

               $ prt-get depends port_name
      -

      2.2.6. Print information

      +

      2.3.6. Print information

      Example how to get ports installed from contrib. Maybe there is a "cleaner" way to this, for now is ok;

      @@ -181,7 +181,7 @@ Core OS Index

      This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.

      diff --git a/core/ports.html b/core/ports.html index 489e728..98ccbba 100644 --- a/core/ports.html +++ b/core/ports.html @@ -23,7 +23,8 @@ # useradd -U -M -d /usr/ports -s /bin/false pkgmk -

      You can add your self to group pkgmk,

      +

      You can add your self to group pkgmk, Members of this group will + not be under tpe protection.

               # usermod -a -G pkgmk c9admin
@@ -85,6 +86,8 @@
         export CFLAGS="-O2 -march=native -mtune=native"
      +

      "-protector-strong" which only insert stack canaries in fuctions where overflow might actually happen

      +

      Discover number of cores/cpus to hard code -j option.

      @@ -107,7 +110,7 @@
         # /etc/pkgmk.conf: pkgmk(8) configuration
         #
 
-        export CFLAGS="-O2 -march=x86-64"
+        export CFLAGS="-O2 -march=native -mtune=native"
         export CXXFLAGS="${CFLAGS}"
 
         export MAKEFLAGS="-j4"
@@ -127,7 +130,7 @@
                         ;;
         esac
 
-        PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
+        #PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
         PKGMK_SOURCE_DIR="/usr/ports/distfiles"
         PKGMK_PACKAGE_DIR="/usr/ports/packages"
         PKGMK_WORK_DIR="/usr/ports/work/$name"
@@ -163,6 +166,9 @@
         # the following line enables the user maintained contrib collection
         prtdir /usr/ports/contrib
 
+        # ports described on this documentation
+        #prtdir /usr/ports/c9-ports
+
         # 6c37 team provides a collection with freetype-iu, fontconfig-iu
         # and cairo-iu ports.
         #prtdir /usr/ports/6c37
@@ -185,7 +191,7 @@
         readme verbose           # (verbose|compact|disabled)
 
         ### prefer higher versions in sysup / diff
-        preferhigher no      # (yes|no)
+        preferhigher yes      # (yes|no)
 
         ### use regexp search
         # useregex no        # (yes|no)
@@ -198,7 +204,7 @@
         ### EXPERT SECTION ###
 
         ### alternative commands
-        makecommand      sudo -H -u pkgmk fakeroot pkgmk
+        makecommand      sudo -H -u pkgmk -g pkgmk fakeroot pkgmk
         addcommand       sudo pkgadd
         removecommand    sudo pkgrm
         runscriptcommand sudo sh
diff --git a/core/ports/linux-blob/.footprint b/core/ports/linux-blob/.footprint
index f00d7fc..02c767e 100644
--- a/core/ports/linux-blob/.footprint
+++ b/core/ports/linux-blob/.footprint
@@ -1,61 +1,56 @@
 drwxr-xr-x	root/root	boot/
--rw-r--r--	root/root	boot/System.map-4.9.10-blob
--rw-r--r--	root/root	boot/config-4.9.10-blob
--rw-r--r--	root/root	boot/vmlinuz-4.9.10-blob
+-rw-r--r--	root/root	boot/System.map-4.9.11-blob
+-rw-r--r--	root/root	boot/config-4.9.11-blob
+-rw-r--r--	root/root	boot/vmlinuz-4.9.11-blob
 drwxr-xr-x	root/root	lib/
 drwxr-xr-x	root/root	lib/modules/
-drwxr-xr-x	root/root	lib/modules//
-lrwxrwxrwx	root/root	lib/modules//build -> /usr/src/linux-4.9.10
-drwxr-xr-x	root/root	lib/modules//kernel/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/platform/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/platform/soc_camera/
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/platform/soc_camera/soc_camera.ko
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/usb/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/usb/gspca/
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/usb/gspca/gspca_main.ko
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/usb/uvc/
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/usb/uvc/uvcvideo.ko
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/media/v4l2-core/
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf-core.ko
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf2-core.ko
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf2-memops.ko
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
--rw-r--r--	root/root	lib/modules//kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/misc/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/misc/eeprom/
--rw-r--r--	root/root	lib/modules//kernel/drivers/misc/eeprom/eeprom_93cx6.ko
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/net/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/net/wireless/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/net/wireless/intel/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/net/wireless/intel/iwlwifi/
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/net/wireless/intel/iwlwifi/dvm/
--rw-r--r--	root/root	lib/modules//kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
--rw-r--r--	root/root	lib/modules//kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
-drwxr-xr-x	root/root	lib/modules//kernel/drivers/net/wireless/intel/iwlwifi/mvm/
--rw-r--r--	root/root	lib/modules//kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
-drwxr-xr-x	root/root	lib/modules//kernel/fs/
-drwxr-xr-x	root/root	lib/modules//kernel/fs/ntfs/
--rw-r--r--	root/root	lib/modules//kernel/fs/ntfs/ntfs.ko
-drwxr-xr-x	root/root	lib/modules//kernel/lib/
--rw-r--r--	root/root	lib/modules//kernel/lib/crc-ccitt.ko
--rw-r--r--	root/root	lib/modules//modules.alias
--rw-r--r--	root/root	lib/modules//modules.alias.bin
--rw-r--r--	root/root	lib/modules//modules.builtin
--rw-r--r--	root/root	lib/modules//modules.builtin.bin
--rw-r--r--	root/root	lib/modules//modules.dep
--rw-r--r--	root/root	lib/modules//modules.dep.bin
--rw-r--r--	root/root	lib/modules//modules.devname (EMPTY)
--rw-r--r--	root/root	lib/modules//modules.order
--rw-r--r--	root/root	lib/modules//modules.softdep
--rw-r--r--	root/root	lib/modules//modules.symbols
--rw-r--r--	root/root	lib/modules//modules.symbols.bin
-lrwxrwxrwx	root/root	lib/modules//source -> /usr/src/linux-4.9.10
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/
+lrwxrwxrwx	root/root	lib/modules/4.9.11-blob/build -> /usr/src/linux-4.9.11
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/gspca_main.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/uvcvideo.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf-core.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-core.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-memops.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/fs/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/fs/ntfs/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/fs/ntfs/ntfs.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.alias
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.alias.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.builtin
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.builtin.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.dep
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.dep.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.devname (EMPTY)
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.order
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.softdep
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.symbols
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.symbols.bin
+lrwxrwxrwx	root/root	lib/modules/4.9.11-blob/source -> /usr/src/linux-4.9.11
 drwxr-xr-x	root/root	usr/
 drwxr-xr-x	root/root	usr/src/
--rw-r--r--	root/root	usr/src/4.9.10-blob-config
--rw-r--r--	root/root	usr/src/4.9.10-cpu_optimizations.patch
--rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.9-201702122044.patch
+-rw-r--r--	root/root	usr/src/4.9.11-blob-config
+-rw-r--r--	root/root	usr/src/4.9.11-cpu_optimizations.patch
+-rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.11-201702181444.patch
diff --git a/core/ports/linux-blob/.md5sum b/core/ports/linux-blob/.md5sum
index 614a350..8516def 100644
--- a/core/ports/linux-blob/.md5sum
+++ b/core/ports/linux-blob/.md5sum
@@ -1,7 +1,7 @@
-7140b24a6e9e13286515e807c2fd4572  config-c9
+dc71c8f55df123437c468dad7be88757  config-c9
 00bc0d70f200c2673fe7dd6f02053fa4  enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
-85155985089acdb7c77e8e30fa135c86  grsecurity-3.1-4.9.9-201702122044.patch
-ce5ab2a86c9b880617e36e84aa2deb6c  linux-4.9.10.tar.xz
+e4eb7eab3a40968c3bd4a0a19339a6a1  grsecurity-3.1-4.9.11-201702181444.patch
+98761ce71c603199fe6fcce600c60772  linux-4.9.11.tar.xz
 bcf38b0fbf7bd83323f3202ec082b15a  port-blob-cpu.patch
-8f47b022540141ceb6a3ac5bc2a3531e  port-blob-grsecurity.patch
-712ea2454ba5181e999661c94d12c629  port-blob-make.patch
+48908f447c73e31c2428cb68b00d1e9c  port-blob-grsecurity.patch
+4a443bf320ede9f5cb183843e85b3b62  port-blob-make.patch
diff --git a/core/ports/linux-blob/Pkgfile b/core/ports/linux-blob/Pkgfile
index ecb228d..b312361 100644
--- a/core/ports/linux-blob/Pkgfile
+++ b/core/ports/linux-blob/Pkgfile
@@ -4,11 +4,11 @@
 # Depends on:   grub2 dracut
 
 name=linux-blob
-version=4.9.10
-release=1
+version=4.9.11
+release=3
 source=(https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-$version.tar.xz \
     https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \
-    https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch \
+    http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \
     port-blob-grsecurity.patch \
     port-blob-make.patch \
     port-blob-cpu.patch \
@@ -18,12 +18,11 @@ build() {
 
     mkdir -p $PKG/usr/src
 
-
     # /usr/src/version-cpu_optimizations.patch
     install -m 0644  $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch
 
     # /usr/src/grsecurity-version.patch
-    install -m 0644  $SRC/grsecurity-3.1-4.9.9-201702122044.patch $PKG/usr/src/
+    install -m 0644  $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/
 
     patch < port-blob-grsecurity.patch
     patch < port-blob-cpu.patch
@@ -34,7 +33,7 @@ build() {
 
     make distclean
 
-    patch -p1 < $SRC/grsecurity-3.1-4.9.9-201702122044.patch
+    patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch
     patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
 
     cp $SRC/config-c9 .config
diff --git a/core/ports/linux-blob/config-c9 b/core/ports/linux-blob/config-c9
index b6750ec..2b0bb4b 100644
--- a/core/ports/linux-blob/config-c9
+++ b/core/ports/linux-blob/config-c9
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.10-blob Kernel Configuration
+# Linux/x86 4.9.11-blob Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -215,7 +215,7 @@ CONFIG_EVENTFD=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
-CONFIG_PCI_QUIRKS=y
+# CONFIG_PCI_QUIRKS is not set
 CONFIG_MEMBARRIER=y
 # CONFIG_EMBEDDED is not set
 CONFIG_HAVE_PERF_EVENTS=y
@@ -329,7 +329,7 @@ CONFIG_MODULE_SIG_SHA256=y
 # CONFIG_MODULE_SIG_SHA512 is not set
 CONFIG_MODULE_SIG_HASH="sha256"
 # CONFIG_MODULE_COMPRESS is not set
-# CONFIG_TRIM_UNUSED_KSYMS is not set
+CONFIG_TRIM_UNUSED_KSYMS=y
 CONFIG_MODULES_TREE_LOOKUP=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
@@ -455,7 +455,7 @@ CONFIG_SWIOTLB=y
 CONFIG_IOMMU_HELPER=y
 # CONFIG_MAXSMP is not set
 CONFIG_NR_CPUS=4
-# CONFIG_SCHED_SMT is not set
+CONFIG_SCHED_SMT=y
 CONFIG_SCHED_MC=y
 CONFIG_PREEMPT_NONE=y
 # CONFIG_PREEMPT_VOLUNTARY is not set
@@ -1357,7 +1357,7 @@ CONFIG_SRAM=y
 # CONFIG_EEPROM_AT25 is not set
 # CONFIG_EEPROM_LEGACY is not set
 # CONFIG_EEPROM_MAX6875 is not set
-CONFIG_EEPROM_93CX6=m
+# CONFIG_EEPROM_93CX6 is not set
 # CONFIG_EEPROM_93XX46 is not set
 # CONFIG_CB710_CORE is not set
 
@@ -4209,8 +4209,8 @@ CONFIG_TASK_SIZE_MAX_SHIFT=42
 CONFIG_GRKERNSEC=y
 CONFIG_GRKERNSEC_CONFIG_AUTO=y
 # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
-CONFIG_GRKERNSEC_CONFIG_SERVER=y
-# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
+# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
+CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
 # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
 # CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
 CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
@@ -4228,7 +4228,7 @@ CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
 # Default Special Groups
 #
 CONFIG_GRKERNSEC_PROC_GID=1001
-CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=1005
+CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005
 CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006
 
 #
@@ -4328,7 +4328,7 @@ CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_SYMLINKOWN=y
 CONFIG_GRKERNSEC_FIFO=y
 CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
-# CONFIG_GRKERNSEC_ROFS is not set
+CONFIG_GRKERNSEC_ROFS=y
 CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
 CONFIG_GRKERNSEC_CHROOT=y
 CONFIG_GRKERNSEC_CHROOT_MOUNT=y
@@ -4350,15 +4350,16 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y
 #
 # Kernel Auditing
 #
-# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
-# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_AUDIT_GROUP=y
+CONFIG_GRKERNSEC_AUDIT_GID=1007
+CONFIG_GRKERNSEC_EXECLOG=y
 CONFIG_GRKERNSEC_RESLOG=y
-# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
-# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
-# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
-# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+CONFIG_GRKERNSEC_AUDIT_MOUNT=y
 CONFIG_GRKERNSEC_SIGNAL=y
-# CONFIG_GRKERNSEC_FORKFAIL is not set
+CONFIG_GRKERNSEC_FORKFAIL=y
 CONFIG_GRKERNSEC_TIME=y
 CONFIG_GRKERNSEC_PROC_IPADDR=y
 CONFIG_GRKERNSEC_RWXMAP_LOG=y
@@ -4373,8 +4374,8 @@ CONFIG_GRKERNSEC_SETXID=y
 CONFIG_GRKERNSEC_HARDEN_IPC=y
 CONFIG_GRKERNSEC_HARDEN_TTY=y
 CONFIG_GRKERNSEC_TPE=y
-# CONFIG_GRKERNSEC_TPE_ALL is not set
-# CONFIG_GRKERNSEC_TPE_INVERT is not set
+CONFIG_GRKERNSEC_TPE_ALL=y
+CONFIG_GRKERNSEC_TPE_INVERT=y
 CONFIG_GRKERNSEC_TPE_GID=1005
 
 #
@@ -4382,13 +4383,19 @@ CONFIG_GRKERNSEC_TPE_GID=1005
 #
 CONFIG_GRKERNSEC_BLACKHOLE=y
 CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
-# CONFIG_GRKERNSEC_SOCKET is not set
+CONFIG_GRKERNSEC_SOCKET=y
+CONFIG_GRKERNSEC_SOCKET_ALL=y
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
+CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
+CONFIG_GRKERNSEC_SOCKET_SERVER=y
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
 
 #
 # Physical Protections
 #
 CONFIG_GRKERNSEC_DENYUSB=y
-# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+CONFIG_GRKERNSEC_DENYUSB_FORCE=y
 
 #
 # Sysctl Support
@@ -4649,7 +4656,7 @@ CONFIG_GENERIC_IOMAP=y
 CONFIG_GENERIC_IO=y
 CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
 CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
-CONFIG_CRC_CCITT=m
+CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
 CONFIG_CRC_ITU_T=y
diff --git a/core/ports/linux-blob/port-blob-grsecurity.patch b/core/ports/linux-blob/port-blob-grsecurity.patch
index 6d27cb4..22d4580 100644
--- a/core/ports/linux-blob/port-blob-grsecurity.patch
+++ b/core/ports/linux-blob/port-blob-grsecurity.patch
@@ -1,5 +1,5 @@
---- grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:14:08.682388834 +0000
-+++ grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:15:45.579051680 +0000
+--- grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 05:14:08.682388834 +0000
++++ grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 05:15:45.579051680 +0000
 -diff --git a/localversion-grsec b/localversion-grsec
 -new file mode 100644
 -index 0000000..7cd6065
@@ -10,8 +10,8 @@
  diff --git a/mm/Kconfig b/mm/Kconfig
  index 86e3e0e..ab679cf 100644
  --- a/mm/Kconfig
---- grsecurity-3.1-4.9.9-201702122044.patch.orig	2017-02-18 09:07:57.220274062 +0000
-+++ grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 09:08:16.380274647 +0000
+--- grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 09:07:57.220274062 +0000
++++ grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 09:08:16.380274647 +0000
 @@ -156547,13 +156547,6 @@
   			break;
   		}
diff --git a/core/ports/linux-blob/port-blob-make.patch b/core/ports/linux-blob/port-blob-make.patch
index 9184cb5..368d592 100644
--- a/core/ports/linux-blob/port-blob-make.patch
+++ b/core/ports/linux-blob/port-blob-make.patch
@@ -3,7 +3,7 @@
 @@ -1,7 +1,7 @@
  VERSION = 4
  PATCHLEVEL = 9
- SUBLEVEL = 10
+ SUBLEVEL = 11
 -EXTRAVERSION =
 +EXTRAVERSION = -blob
  NAME = Roaring Lionus
diff --git a/core/ports/linux-libre/.footprint b/core/ports/linux-libre/.footprint
index 5d223e7..1279a5d 100644
--- a/core/ports/linux-libre/.footprint
+++ b/core/ports/linux-libre/.footprint
@@ -1,64 +1,59 @@
 drwxr-xr-x	root/root	boot/
--rw-r--r--	root/root	boot/System.map-4.9.10-grsec
--rw-r--r--	root/root	boot/config-4.9.10-grsec
--rw-r--r--	root/root	boot/vmlinuz-4.9.10-grsec
+-rw-r--r--	root/root	boot/System.map-4.9.11-grsec
+-rw-r--r--	root/root	boot/config-4.9.11-grsec
+-rw-r--r--	root/root	boot/vmlinuz-4.9.11-grsec
 drwxr-xr-x	root/root	lib/
 drwxr-xr-x	root/root	lib/modules/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/
-lrwxrwxrwx	root/root	lib/modules/4.9.10-grsec/build -> /usr/src/linux-4.9.10
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/gspca/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/uvc/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/misc/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/misc/eeprom/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/misc/eeprom/eeprom_93cx6.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/fs/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/fs/ntfs/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/fs/ntfs/ntfs.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/lib/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/lib/crc-ccitt.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.alias
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.alias.bin
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.builtin
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.builtin.bin
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.dep
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.dep.bin
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.devname (EMPTY)
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.order
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.softdep
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.symbols
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.symbols.bin
-lrwxrwxrwx	root/root	lib/modules/4.9.10-grsec/source -> /usr/src/linux-4.9.10
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/
+lrwxrwxrwx	root/root	lib/modules/4.9.11-grsec/build -> /usr/src/linux-4.9.11
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/fs/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/fs/ntfs/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/fs/ntfs/ntfs.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.alias
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.alias.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.builtin
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.builtin.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.dep
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.dep.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.devname (EMPTY)
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.order
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.softdep
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.symbols
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.symbols.bin
+lrwxrwxrwx	root/root	lib/modules/4.9.11-grsec/source -> /usr/src/linux-4.9.11
 drwxr-xr-x	root/root	usr/
 drwxr-xr-x	root/root	usr/src/
--rw-r--r--	root/root	usr/src/4.9.10-cpu_optimizations.patch
--rw-r--r--	root/root	usr/src/4.9.10-libre-config
--rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.9-201702122044.patch
+-rw-r--r--	root/root	usr/src/4.9.11-cpu_optimizations.patch
+-rw-r--r--	root/root	usr/src/4.9.11-libre-config
+-rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.11-201702181444.patch
 -rw-r--r--	root/root	usr/src/port-libre-cpu.patch
 -rw-r--r--	root/root	usr/src/port-libre-grsecurity.patch
 -rw-r--r--	root/root	usr/src/port-libre-make.patch
diff --git a/core/ports/linux-libre/.md5sum b/core/ports/linux-libre/.md5sum
index b481c10..ddd1878 100644
--- a/core/ports/linux-libre/.md5sum
+++ b/core/ports/linux-libre/.md5sum
@@ -1,7 +1,7 @@
-7140b24a6e9e13286515e807c2fd4572  config-c9
+bf30b0af56c2621e317cab5e44d4235e  config-c9
 00bc0d70f200c2673fe7dd6f02053fa4  enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
-85155985089acdb7c77e8e30fa135c86  grsecurity-3.1-4.9.9-201702122044.patch
-d68753b73b7c87d53424146eceb291f8  linux-libre-4.9.10-gnu.tar.xz
+e4eb7eab3a40968c3bd4a0a19339a6a1  grsecurity-3.1-4.9.11-201702181444.patch
+2af743d6b73201d5db83c1ccb175ed30  linux-libre-4.9.11-gnu.tar.xz
 bcf38b0fbf7bd83323f3202ec082b15a  port-libre-cpu.patch
-470face301667e4a88a7664f69c1ae29  port-libre-grsecurity.patch
-f8ba546153f4cdcd47b97bd2f8785af1  port-libre-make.patch
+f9b2f7572adec2c46c1f1be2b784490e  port-libre-grsecurity.patch
+ce88c28573de7b41ef686f4201d0abfa  port-libre-make.patch
diff --git a/core/ports/linux-libre/Pkgfile b/core/ports/linux-libre/Pkgfile
index 9f7a3d0..154435f 100644
--- a/core/ports/linux-libre/Pkgfile
+++ b/core/ports/linux-libre/Pkgfile
@@ -4,11 +4,11 @@
 # Depends on:   grub2 dracut
 
 name=linux-libre
-version=4.9.10
-release=3
+version=4.9.11
+release=2
 source=(http://linux-libre.fsfla.org/pub/linux-libre/releases/$version-gnu/$name-$version-gnu.tar.xz \
     https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \
-    https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch \
+    http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \
     port-libre-grsecurity.patch \
     port-libre-cpu.patch \
     port-libre-make.patch \
@@ -24,7 +24,7 @@ build() {
     install -m 0644  $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch
 
     # /usr/src/grsecurity-version.patch
-    install -m 0644  $SRC/grsecurity-3.1-4.9.9-201702122044.patch $PKG/usr/src/
+    install -m 0644  $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/
     install -m 0644  $SRC/port-libre-grsecurity.patch $PKG/usr/src/
     install -m 0644  $SRC/port-libre-cpu.patch $PKG/usr/src/
     install -m 0644  $SRC/port-libre-make.patch $PKG/usr/src/
@@ -38,7 +38,7 @@ build() {
 
     make distclean
 
-    patch -p1 < $SRC/grsecurity-3.1-4.9.9-201702122044.patch
+    patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch
     patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
 
     cp $SRC/config-c9 .config
diff --git a/core/ports/linux-libre/config-c9 b/core/ports/linux-libre/config-c9
index b6750ec..236d79e 100644
--- a/core/ports/linux-libre/config-c9
+++ b/core/ports/linux-libre/config-c9
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.10-blob Kernel Configuration
+# Linux/x86 4.9.11-grsec Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -215,7 +215,7 @@ CONFIG_EVENTFD=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
-CONFIG_PCI_QUIRKS=y
+# CONFIG_PCI_QUIRKS is not set
 CONFIG_MEMBARRIER=y
 # CONFIG_EMBEDDED is not set
 CONFIG_HAVE_PERF_EVENTS=y
@@ -329,7 +329,7 @@ CONFIG_MODULE_SIG_SHA256=y
 # CONFIG_MODULE_SIG_SHA512 is not set
 CONFIG_MODULE_SIG_HASH="sha256"
 # CONFIG_MODULE_COMPRESS is not set
-# CONFIG_TRIM_UNUSED_KSYMS is not set
+CONFIG_TRIM_UNUSED_KSYMS=y
 CONFIG_MODULES_TREE_LOOKUP=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
@@ -455,7 +455,7 @@ CONFIG_SWIOTLB=y
 CONFIG_IOMMU_HELPER=y
 # CONFIG_MAXSMP is not set
 CONFIG_NR_CPUS=4
-# CONFIG_SCHED_SMT is not set
+CONFIG_SCHED_SMT=y
 CONFIG_SCHED_MC=y
 CONFIG_PREEMPT_NONE=y
 # CONFIG_PREEMPT_VOLUNTARY is not set
@@ -1357,7 +1357,7 @@ CONFIG_SRAM=y
 # CONFIG_EEPROM_AT25 is not set
 # CONFIG_EEPROM_LEGACY is not set
 # CONFIG_EEPROM_MAX6875 is not set
-CONFIG_EEPROM_93CX6=m
+# CONFIG_EEPROM_93CX6 is not set
 # CONFIG_EEPROM_93XX46 is not set
 # CONFIG_CB710_CORE is not set
 
@@ -4209,8 +4209,8 @@ CONFIG_TASK_SIZE_MAX_SHIFT=42
 CONFIG_GRKERNSEC=y
 CONFIG_GRKERNSEC_CONFIG_AUTO=y
 # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
-CONFIG_GRKERNSEC_CONFIG_SERVER=y
-# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
+# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
+CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
 # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
 # CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
 CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
@@ -4228,7 +4228,7 @@ CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
 # Default Special Groups
 #
 CONFIG_GRKERNSEC_PROC_GID=1001
-CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=1005
+CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005
 CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006
 
 #
@@ -4328,7 +4328,7 @@ CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_SYMLINKOWN=y
 CONFIG_GRKERNSEC_FIFO=y
 CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
-# CONFIG_GRKERNSEC_ROFS is not set
+CONFIG_GRKERNSEC_ROFS=y
 CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
 CONFIG_GRKERNSEC_CHROOT=y
 CONFIG_GRKERNSEC_CHROOT_MOUNT=y
@@ -4350,15 +4350,16 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y
 #
 # Kernel Auditing
 #
-# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
-# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_AUDIT_GROUP=y
+CONFIG_GRKERNSEC_AUDIT_GID=1007
+CONFIG_GRKERNSEC_EXECLOG=y
 CONFIG_GRKERNSEC_RESLOG=y
-# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
-# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
-# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
-# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+CONFIG_GRKERNSEC_AUDIT_MOUNT=y
 CONFIG_GRKERNSEC_SIGNAL=y
-# CONFIG_GRKERNSEC_FORKFAIL is not set
+CONFIG_GRKERNSEC_FORKFAIL=y
 CONFIG_GRKERNSEC_TIME=y
 CONFIG_GRKERNSEC_PROC_IPADDR=y
 CONFIG_GRKERNSEC_RWXMAP_LOG=y
@@ -4373,8 +4374,8 @@ CONFIG_GRKERNSEC_SETXID=y
 CONFIG_GRKERNSEC_HARDEN_IPC=y
 CONFIG_GRKERNSEC_HARDEN_TTY=y
 CONFIG_GRKERNSEC_TPE=y
-# CONFIG_GRKERNSEC_TPE_ALL is not set
-# CONFIG_GRKERNSEC_TPE_INVERT is not set
+CONFIG_GRKERNSEC_TPE_ALL=y
+CONFIG_GRKERNSEC_TPE_INVERT=y
 CONFIG_GRKERNSEC_TPE_GID=1005
 
 #
@@ -4382,13 +4383,19 @@ CONFIG_GRKERNSEC_TPE_GID=1005
 #
 CONFIG_GRKERNSEC_BLACKHOLE=y
 CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
-# CONFIG_GRKERNSEC_SOCKET is not set
+CONFIG_GRKERNSEC_SOCKET=y
+CONFIG_GRKERNSEC_SOCKET_ALL=y
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
+CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
+CONFIG_GRKERNSEC_SOCKET_SERVER=y
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
 
 #
 # Physical Protections
 #
 CONFIG_GRKERNSEC_DENYUSB=y
-# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+CONFIG_GRKERNSEC_DENYUSB_FORCE=y
 
 #
 # Sysctl Support
@@ -4649,7 +4656,7 @@ CONFIG_GENERIC_IOMAP=y
 CONFIG_GENERIC_IO=y
 CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
 CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
-CONFIG_CRC_CCITT=m
+CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
 CONFIG_CRC_ITU_T=y
diff --git a/core/ports/linux-libre/port-libre-grsecurity.patch b/core/ports/linux-libre/port-libre-grsecurity.patch
index d437421..cecd956 100644
--- a/core/ports/linux-libre/port-libre-grsecurity.patch
+++ b/core/ports/linux-libre/port-libre-grsecurity.patch
@@ -1,5 +1,5 @@
---- grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:14:08.682388834 +0000
-+++ grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:15:45.579051680 +0000
+--- grsecurity-3.1-4.9.11-201702181444.patch 	2017-02-18 05:14:08.682388834 +0000
++++ grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 05:15:45.579051680 +0000
 @@ -90805,59 +90805,6 @@
   	if (!file->private_data)
   		return -ENOMEM;
diff --git a/core/ports/linux-libre/port-libre-make.patch b/core/ports/linux-libre/port-libre-make.patch
index 6a32ba8..dfbd8af 100644
--- a/core/ports/linux-libre/port-libre-make.patch
+++ b/core/ports/linux-libre/port-libre-make.patch
@@ -3,7 +3,7 @@
 @@ -1,7 +1,7 @@
  VERSION = 4
  PATCHLEVEL = 9
- SUBLEVEL = 10
+ SUBLEVEL = 11
 -EXTRAVERSION = -gnu
 +EXTRAVERSION = -grsec
  NAME = Roaring Lionus
diff --git a/core/reboot.html b/core/reboot.html
index c63f9bc..7bc22ea 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -33,109 +33,17 @@
 
         
      1.4.1. Linux Kernel
      
 
-        
      c9-ports have two kernels, linux libre and linux blob.
+        
      Core ports have two kernels, linux-libre and linux-blob.
         Port linux-libre kernel is a true source based kernel that
         respects your freedoms, is x86_64 but not generic configured,
-        with all drivers as modules or correct graphic driver.
-        Port linux-blob contain blobs and loads firmware.
      
+        select modules (drivers) for your hardware, for example
+        correct graphic driver and disk. Port linux-blob is dangerous,
+        contain blobs (from bad corporations).
      
 
         
               # cd /usr/ports/c9-ports/linux-libre
         # pkgmk -d
-        # pkgadd /usr/ports/packages/linux-libre#4.9.9-3.pkg.tar.gz
-        
      
-
-        
      1.4.2. Dracut - Initramfs
      
-
-        
      Install dracut;
      
-
-        
      -        # cd /usr/ports/c9-ports/dracut
-        # pkgmk -d
-        # pkgadd /usr/ports/packages/dracut#044-2.pkg.tar.gz
-        
      
-
-        
      Review configuration file;
      
-
-        
      -        # PUT YOUR CONFIG IN separate files
-        # in /etc/dracut.conf.d named ".conf"
-
-        # Equivalent to -H
-        hostonly="yes"
-
-        # Mount / and /usr read-only by default.
-        ro_mnt="no"
-
-        # Equivalent to -m "module module module"
-        dracutmodules+="dash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown"
-
-        # Equivalent to -a "module"
-        add_dracutmodules+="caps debug"
-
-        # Equivalent to -o "module"
-        #omit_dracutmodules+="systemd systemd-bootchart systemd-networkd systemd-initrd"
-
-        # SEE man dracut.conf(5) for options
-        
      
-
-        
      Run dracut to create init ram filesystem for
-        port linux-blob kernel;
      
-
-        
      -        # dracut -v /boot/initramfs-4.9.9-blob.img 4.9.9-blob
-        
      
-
-        
      1.4.3. Configuring Grub2
      
-
-        
      Create grub file in /etc/default/grub with values;
      
-
-        
      -        GRUB_DISABLE_LINUX_UUID=false
-        GRUB_ENABLE_LINUX_LABEL=false
-        
      
-
-        
      Grub Manual,
-        install grub on MBR of disk sdb;
      
-
-        
      -        # grub-install /dev/sdb
-        Installation finished. No error reported.
-        
      
-
-        
      If you are installing on removable media;
      
-
-        
      -        # grub-install --removable /dev/sdb
-        Installation finished. No error reported.
-        
      
-
-        
      grub-mkconfig generates grub.cfg, it will try to discover
-        available kernels and attempt to generate menu entries for
-        them;
      
-
-        
      -        # grub-mkconfig -o /boot/grub/grub.cfg
-        Generating grub.cfg ...
-        Found linux image: /boot/vmlinuz-4.9.9-grsec
-        done
-        #
-        
      
-
-        
      Check /boot/grub/grub.cfg, if is wrong add menu to
-        /etc/grub.d/40_custom, replace correct msdos partition
-        from grub-prob output and correct UUID from fstab or blkid
      
-
-        
      -        # grub-probe --target=hints_string /
-        
      
-
-        
      To add rw as default edit /etc/grub.d/10_linux file, current
-        version change line 138 to;
      
-
-        
      -        echo    '$message'
-        linux   ${rel_dirname}/${basename} root=${linux_root_device_thisversion} rw ${args}
+        # pkgadd /usr/ports/packages/linux-libre#4.9.11-2.pkg.tar.gz
         
      
 
         
      1.4.4. Checkup
      
@@ -152,13 +60,13 @@
         
      Debug initram
      
 
         
      -        /usr/lib/dracut/skipcpio /boot/initramfs-4.9.9-blob.img | gunzip -c | cpio -i -d
+        /usr/lib/dracut/skipcpio /boot/initramfs-4.9.11-blob.img | gunzip -c | cpio -i -d
         36875 blocks
         
      
 
         Core OS Index
         
      This is part of the c9-doc Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file Gnu Free Documentation License
         for copying conditions.
      
-- 
cgit 1.4.1-2-gfad0


From 3c09bd81cd3d2a9732545795fb57901181fc5ad2 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Tue, 21 Feb 2017 13:56:33 +0000
Subject: core iptables revision

---
 core/conf/iptables/iptables-lan.sh | 277 +++++++++++++++++++++++++++++++++++++
 core/conf/iptables/rules.v4        | 227 ++++++++++++------------------
 core/network.html                  |   4 +-
 3 files changed, 367 insertions(+), 141 deletions(-)
 create mode 100644 core/conf/iptables/iptables-lan.sh

(limited to 'core/conf')

diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh
new file mode 100644
index 0000000..fae7345
--- /dev/null
+++ b/core/conf/iptables/iptables-lan.sh
@@ -0,0 +1,277 @@
+#!/bin/sh
+
+#------------------------------------------------------------------------------
+#
+# File: iptables_mint17.sh
+#
+# http://www.hardenedlinux.org
+#
+# Reference: Ruslan Abuzant ,  http://www.hackersgarage.com/
+# Changed by: Silvino Silva 
+#
+# License: GNU GPL (version 2, or any later version).
+#
+# Configuration.
+#------------------------------------------------------------------------------
+
+# For debugging use iptables -v.
+IPTABLES="/usr/sbin/iptables"
+IP6TABLES="/usr/sbin/ip6tables"
+MODPROBE="/sbin/modprobe"
+RMMOD="/sbin/rmmod"
+ARP="/usr/sbin/arp"
+
+# NIC interfaces
+NIC_NAME="enp8s0 wlp7s0"
+
+# Logging options.
+#------------------------------------------------------------------------------
+LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
+LOG="$LOG --log-ip-options"
+
+
+# Defaults for rate limiting
+#------------------------------------------------------------------------------
+RLIMIT="-m limit --limit 3/s --limit-burst 8"
+
+
+# Unprivileged ports.
+#------------------------------------------------------------------------------
+PHIGH="1024:65535"
+PSSH="1000:1023"
+
+
+# Load required kernel modules
+#------------------------------------------------------------------------------
+$MODPROBE ip_conntrack_ftp
+$MODPROBE ip_conntrack_irc
+
+
+# Mitigate ARP spoofing/poisoning and similar attacks.
+#------------------------------------------------------------------------------
+# Hardcode static ARP cache entries here
+# $ARP -s IP-ADDRESS MAC-ADDRESS
+
+
+# Default policies.
+#------------------------------------------------------------------------------
+
+# Drop everything by default.
+$IPTABLES -P INPUT DROP
+$IPTABLES -P FORWARD DROP
+$IPTABLES -P OUTPUT ACCEPT
+
+# Set the nat/mangle/raw tables' chains to ACCEPT
+
+$IPTABLES -t mangle -P PREROUTING ACCEPT
+$IPTABLES -t mangle -P INPUT ACCEPT
+$IPTABLES -t mangle -P FORWARD ACCEPT
+$IPTABLES -t mangle -P OUTPUT ACCEPT
+$IPTABLES -t mangle -P POSTROUTING ACCEPT
+
+# Cleanup.
+#------------------------------------------------------------------------------
+
+# Delete all
+$IPTABLES -F
+$IPTABLES -t mangle -F
+
+# Delete all
+$IPTABLES -X
+$IPTABLES -t mangle -X
+
+# Zero all packets and counters.
+$IPTABLES -Z
+$IPTABLES -t mangle -Z
+
+# Completely disable IPv6.
+#------------------------------------------------------------------------------
+
+# Block all IPv6 traffic
+# If the ip6tables command is available, try to block all IPv6 traffic.
+if test -x $IP6TABLES; then
+# Set the default policies
+# drop everything
+$IP6TABLES -P INPUT DROP 2>/dev/null
+$IP6TABLES -P FORWARD DROP 2>/dev/null
+$IP6TABLES -P OUTPUT DROP 2>/dev/null
+
+# The mangle table can pass everything
+$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
+$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
+$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
+$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
+$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
+
+# Delete all rules.
+$IP6TABLES -F 2>/dev/null
+$IP6TABLES -t mangle -F 2>/dev/null
+
+# Delete all chains.
+$IP6TABLES -X 2>/dev/null
+$IP6TABLES -t mangle -X 2>/dev/null
+
+# Zero all packets and counters.
+$IP6TABLES -Z 2>/dev/null
+$IP6TABLES -t mangle -Z 2>/dev/null
+fi
+
+# Custom user-defined chains.
+#------------------------------------------------------------------------------
+
+# LOG packets, then ACCEPT.
+$IPTABLES -N ACCEPTLOG
+$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
+$IPTABLES -A ACCEPTLOG -j ACCEPT
+
+# LOG packets, then DROP.
+$IPTABLES -N DROPLOG
+$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
+$IPTABLES -A DROPLOG -j DROP
+
+# LOG packets, then REJECT.
+# TCP packets are rejected with a TCP reset.
+$IPTABLES -N REJECTLOG
+$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
+$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
+$IPTABLES -A REJECTLOG -j REJECT
+
+# Only allows RELATED ICMP types
+# (destination-unreachable, time-exceeded, and parameter-problem).
+# TODO: Rate-limit this traffic?
+# TODO: Allow fragmentation-needed?
+# TODO: Test.
+$IPTABLES -N RELATED_ICMP
+$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
+$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
+$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
+$IPTABLES -A RELATED_ICMP -j DROPLOG
+
+# Make It Even Harder To Multi-PING
+$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
+$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
+$IPTABLES  -A INPUT -p icmp -j DROP
+$IPTABLES  -A OUTPUT -p icmp -j ACCEPT
+
+# Only allow the minimally required/recommended parts of ICMP. Block the rest.
+#------------------------------------------------------------------------------
+
+# TODO: This section needs a lot of testing!
+
+# First, drop all fragmented ICMP packets (almost always malicious).
+$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
+$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
+$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
+
+# Allow all ESTABLISHED ICMP traffic.
+$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
+$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
+
+# Allow some parts of the RELATED ICMP traffic, block the rest.
+$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
+$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
+
+# Allow incoming ICMP echo requests (ping), but only rate-limited.
+$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
+
+# Allow outgoing ICMP echo requests (ping), but only rate-limited.
+$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
+
+# Drop any other ICMP traffic.
+$IPTABLES -A INPUT -p icmp -j DROPLOG
+$IPTABLES -A OUTPUT -p icmp -j DROPLOG
+$IPTABLES -A FORWARD -p icmp -j DROPLOG
+
+# Selectively allow certain special types of traffic.
+#------------------------------------------------------------------------------
+
+# Allow loopback interface to do anything.
+$IPTABLES -A INPUT -i lo -j ACCEPT
+$IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+# Allow incoming connections related to existing allowed connections.
+$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Allow outgoing connections EXCEPT invalid
+$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+
+# Miscellaneous.
+#------------------------------------------------------------------------------
+
+# We don't care about Milkosoft, Drop SMB/CIFS/etc..
+#                     ^ person before me; my label = psychogreedyevilsoft
+$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+
+# Explicitly drop invalid incoming traffic
+$IPTABLES -A INPUT -m state --state INVALID -j DROP
+
+# Drop invalid outgoing traffic, too.
+$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+
+# If we would use NAT, INVALID packets would pass - BLOCK them anyways
+$IPTABLES -A FORWARD -m state --state INVALID -j DROP
+
+# PORT Scanners (stealth also)
+$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
+$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
+
+# TODO: Some more anti-spoofing rules? For example:
+$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
+
+$IPTABLES -N SYN_FLOOD
+$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
+$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
+
+$IPTABLES -A SYN_FLOOD -j DROP
+
+$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
+$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+
+$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+$IPTABLES -A INPUT -f -j DROP
+
+
+# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
+
+# Selectively allow certain inbound connections, block the rest.
+#------------------------------------------------------------------------------
+
+# Allow incoming SSH requests.
+$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
+
+# Explicitly log and reject everything else.
+#------------------------------------------------------------------------------
+# Use REJECT instead of REJECTLOG if you don't need/want logging.
+$IPTABLES -A INPUT -j REJECTLOG
+$IPTABLES -A OUTPUT -j REJECTLOG
+$IPTABLES -A FORWARD -j REJECTLOG
+
+# Counter hits
+
+for i in $NIC_NAME
+do
+	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set
+	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP
+done
+
+#------------------------------------------------------------------------------
+# Testing the firewall.
+#------------------------------------------------------------------------------
+
+# You should check/test that the firewall really works, using
+# iptables -vnL, nmap, ping, telnet, ...
+
+# Exit gracefully.
+#------------------------------------------------------------------------------
+
+    exit 0
diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4
index 419962f..5a2ffe8 100644
--- a/core/conf/iptables/rules.v4
+++ b/core/conf/iptables/rules.v4
@@ -1,158 +1,105 @@
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
 *security
-:INPUT ACCEPT [6:2056]
+:INPUT ACCEPT [3624:2121853]
 :FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [6:2056]
+:OUTPUT ACCEPT [3590:999020]
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Completed on Tue Feb 21 13:55:04 2017
+# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
 *raw
-:PREROUTING ACCEPT [7:2092]
-:OUTPUT ACCEPT [6:2056]
+:PREROUTING ACCEPT [5432:2268406]
+:OUTPUT ACCEPT [3623:1011362]
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Completed on Tue Feb 21 13:55:04 2017
+# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
+*nat
+:PREROUTING ACCEPT [1808:146553]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [322:28410]
+:POSTROUTING ACCEPT [289:16068]
+COMMIT
+# Completed on Tue Feb 21 13:55:04 2017
+# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
 *mangle
-:PREROUTING ACCEPT [7:2092]
-:INPUT ACCEPT [6:2056]
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [6:2056]
-:POSTROUTING ACCEPT [6:2056]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Completed on Tue Feb 21 13:55:04 2017
+# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:ACCEPTLOG - [0:0]
+:DROPLOG - [0:0]
+:REJECTLOG - [0:0]
+:RELATED_ICMP - [0:0]
+:SYN_FLOOD - [0:0]
+-A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
+-A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
+-A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
+-A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
+-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT
+-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:"
+-A INPUT -p icmp -j DROP
+-A INPUT -p icmp -f -j DROPLOG
+-A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
+-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp -j DROPLOG
 -A INPUT -i lo -j ACCEPT
--A INPUT -i br0 -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+-A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+-A INPUT -m state --state INVALID -j DROP
+-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD
 -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
 -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
 -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
 -A INPUT -f -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
--A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-#################################################################################
-#	INPUT
-#	Established connections and passive
-#
-
-# Allow established from dns server
-#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# INPUT accept passive
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT
-
-
-# Allow irc
--A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow xmmp
--A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-# Allow established from https server
--A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow established from http server
--A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from rsync server
--A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from pop3s server
--A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from smtps server
--A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from ntp server
--A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from whois server
--A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from ftp server
--A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-##################################################################################
-#	INPUT
-#	New and established connections to local servers
-#
-
-# INPUT accept from wlp7s0 to dns server
-#-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-# INPUT accept from wlp7s0 to https server
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-# INPUT accept from wlp7s0 to ssh server
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT
-
-
--A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
--A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
-
-##################################################################################
-#	Output
-#	Connections to remote servers
-#
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECTLOG
+-A FORWARD -p icmp -f -j DROPLOG
+-A FORWARD -p icmp -j DROPLOG
+-A FORWARD -m state --state INVALID -j DROP
+-A FORWARD -j REJECTLOG
+-A OUTPUT -p icmp -j ACCEPT
+-A OUTPUT -p icmp -f -j DROPLOG
+-A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A OUTPUT -p icmp -j DROPLOG
 -A OUTPUT -o lo -j ACCEPT
--A OUTPUT -o br0 -j ACCEPT
-
-# Allow to ssh clients 
--A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow to dns
-#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow from dns server
-#-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow irc
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow xmmp
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-
-
-# Allow to rsync server
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to pop3s server
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to smtps server
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ntp server
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ftp server
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to https server
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to http server
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-##################################################################################
-#	Output
-#	Connections from local servers
-#
-
-
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
-
-
--A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
-COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
-*nat
-:PREROUTING ACCEPT [1:36]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
+-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state INVALID -j DROP
+-A OUTPUT -j REJECTLOG
+-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A ACCEPTLOG -j ACCEPT
+-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A DROPLOG -j DROP
+-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
+-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
+-A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
+-A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
+-A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
+-A RELATED_ICMP -j DROPLOG
+-A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN
+-A SYN_FLOOD -j DROP
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
+# Completed on Tue Feb 21 13:55:04 2017
diff --git a/core/network.html b/core/network.html
index ebea495..bcf52f5 100644
--- a/core/network.html
+++ b/core/network.html
@@ -118,7 +118,9 @@
         arch wiki.
         You can use
         /etc/iptables/rules.v4
-        as template, replace interface by the one facing the router/gateway.
+        or
+        /etc/iptables/iptables-lan.sh
+        as a template, replace interfaces by correct ones.
         This configuration file is used at boot time by iptables-restore command,
         if you use a script or change the rules of running system you can
         use iptables-save command to save configuration to a file.
      
-- 
cgit 1.4.1-2-gfad0


From d26a4e12deafade205d37a9fda748a6b78dfdb6a Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Sat, 25 Feb 2017 18:40:03 +0000
Subject: overall revesion

---
 core/bash.html                     |  10 +-
 core/conf/iptables/iptables-lan.sh | 143 ++++++++++++++++++---------
 core/conf/iptables/rules.v4        |  76 +++++++-------
 core/conf/sysctl.conf              | 148 +++++++++++++++-------------
 core/dash.html                     |   4 +-
 core/exim.html                     |  33 ++++---
 core/grsecurity.html               |  85 ++++++++++++++++
 core/hardening.html                | 197 +++++++++++++++++++++++++++++++++++++
 core/index.html                    |  51 +++++-----
 core/linux.html                    |  71 +++++++------
 core/network.html                  |  16 +--
 core/package.html                  |  16 +--
 core/ports.html                    |   8 +-
 core/reboot.html                   |  11 ++-
 core/scripts/setup-install.sh      |   2 +-
 core/tmux.html                     |   6 +-
 core/tty-terminal.html             |   4 +-
 tools/conf/etc/rc.d/dnscrypt-proxy |   5 +-
 tools/dnsmasq.html                 |   7 +-
 tools/gitolite.html                |   3 +-
 tools/index.html                   |   6 --
 tools/mutt.html                    |  10 +-
 tools/qemu.html                    |  18 ++--
 tools/x.html                       |  28 ++++--
 24 files changed, 671 insertions(+), 287 deletions(-)
 create mode 100644 core/grsecurity.html
 create mode 100644 core/hardening.html

(limited to 'core/conf')

diff --git a/core/bash.html b/core/bash.html
index 2c1f6e9..353d7df 100644
--- a/core/bash.html
+++ b/core/bash.html
@@ -2,12 +2,12 @@
 
     
         
-        2.4.2. Bash
+        2.5.2. Bash
     
     
         Core OS Index
 
-        
      2.4.2. Bash
      
+        
      2.5.2. Bash
      
 
         
      Just to be sure, setup bash as default login;
      
 
@@ -32,7 +32,7 @@
             alias, editor.
         
 
-        
      2.4.2.1. Profile
      
+        
      2.5.2.1. Profile
      
 
         
      Example of ~/.profile;
      
 
@@ -43,7 +43,7 @@
         export SSH_AUTH_SOCK   # enable gpg-agent for ssh
      -

      2.4.2.2. Bash RC

      +

      2.5.2.2. Bash RC

      Example of ~/.bashrc;

      @@ -106,7 +106,7 @@ fi -

      2.4.2.3. Bash profile

      +

      2.5.2.3. Bash profile

      Example of ~/.bash_profile;

      diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh index fae7345..58d92c3 100644 --- a/core/conf/iptables/iptables-lan.sh +++ b/core/conf/iptables/iptables-lan.sh @@ -26,8 +26,7 @@ NIC_NAME="enp8s0 wlp7s0" # Logging options. #------------------------------------------------------------------------------ -LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" -LOG="$LOG --log-ip-options" +LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options" # Defaults for rate limiting @@ -59,9 +58,9 @@ $MODPROBE ip_conntrack_irc # Drop everything by default. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP -$IPTABLES -P OUTPUT ACCEPT +$IPTABLES -P OUTPUT DROP -# Set the nat/mangle/raw tables' chains to ACCEPT +# Set the nat/mangle/raw tables' chains to DROP $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT @@ -89,53 +88,58 @@ $IPTABLES -t mangle -Z # Block all IPv6 traffic # If the ip6tables command is available, try to block all IPv6 traffic. -if test -x $IP6TABLES; then +#if test -x $IP6TABLES; then # Set the default policies # drop everything -$IP6TABLES -P INPUT DROP 2>/dev/null -$IP6TABLES -P FORWARD DROP 2>/dev/null -$IP6TABLES -P OUTPUT DROP 2>/dev/null - -# The mangle table can pass everything -$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null +#$IP6TABLES -P INPUT DROP +#$IP6TABLES -P FORWARD DROP +#$IP6TABLES -P OUTPUT DROP +# +## The mangle table can pass everything +#$IP6TABLES -t mangle -P PREROUTING ACCEPT +#$IP6TABLES -t mangle -P INPUT ACCEPT +#$IP6TABLES -t mangle -P FORWARD ACCEPT +#$IP6TABLES -t mangle -P OUTPUT ACCEPT +#$IP6TABLES -t mangle -P POSTROUTING ACCEPT # Delete all rules. -$IP6TABLES -F 2>/dev/null -$IP6TABLES -t mangle -F 2>/dev/null - -# Delete all chains. -$IP6TABLES -X 2>/dev/null -$IP6TABLES -t mangle -X 2>/dev/null - -# Zero all packets and counters. -$IP6TABLES -Z 2>/dev/null -$IP6TABLES -t mangle -Z 2>/dev/null -fi +#$IP6TABLES -F 2>/dev/null +#$IP6TABLES -t mangle -F 2>/dev/null +# +## Delete all chains. +#$IP6TABLES -X 2>/dev/null +#$IP6TABLES -t mangle -X 2>/dev/null +# +## Zero all packets and counters. +#$IP6TABLES -Z 2>/dev/null +#$IP6TABLES -t mangle -Z 2>/dev/null +#fi # Custom user-defined chains. #------------------------------------------------------------------------------ # LOG packets, then ACCEPT. $IPTABLES -N ACCEPTLOG -$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT " +$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT " $IPTABLES -A ACCEPTLOG -j ACCEPT # LOG packets, then DROP. $IPTABLES -N DROPLOG -$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP " +$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP " $IPTABLES -A DROPLOG -j DROP # LOG packets, then REJECT. # TCP packets are rejected with a TCP reset. $IPTABLES -N REJECTLOG -$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT " +$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT " $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECTLOG -j REJECT +# Allow loopback interface to do anything. +$IPTABLES -A INPUT -i lo -j ACCEPT +$IPTABLES -A OUTPUT -o lo -j ACCEPT + + # Only allows RELATED ICMP types # (destination-unreachable, time-exceeded, and parameter-problem). # TODO: Rate-limit this traffic? @@ -185,10 +189,6 @@ $IPTABLES -A FORWARD -p icmp -j DROPLOG # Selectively allow certain special types of traffic. #------------------------------------------------------------------------------ -# Allow loopback interface to do anything. -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A OUTPUT -o lo -j ACCEPT - # Allow incoming connections related to existing allowed connections. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT @@ -199,7 +199,7 @@ $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #------------------------------------------------------------------------------ # We don't care about Milkosoft, Drop SMB/CIFS/etc.. -# ^ person before me; my label = psychogreedyevilsoft +# ^ greedyevilsoft $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP @@ -234,12 +234,13 @@ $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN $IPTABLES -A SYN_FLOOD -j DROP -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP - -$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " -$IPTABLES -A INPUT -f -j DROP +#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7 +#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +#$IPTABLES -A INPUT -f -j DROP +$IPTABLES -A INPUT -f -j DROPLOG # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... @@ -247,22 +248,67 @@ $IPTABLES -A INPUT -f -j DROP #------------------------------------------------------------------------------ # Allow incoming SSH requests. -$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT +#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT + +# Allow incoming https server +#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT + + +# Selectively allow certain outbound connections, block the rest. +#------------------------------------------------------------------------------ +# + +# Allow ping +$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# Allow to ssh clients +$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow to dns +$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow irc +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to xmmp +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# Allow to rsync server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to pop3s server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to smtps server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ntp server +$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ftp server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to https server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to http server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +# Selectively allow certain outbound server connections, block the rest. +#------------------------------------------------------------------------------ + +# Allow from https server +#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT + +# Allow from dns server +#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT # Explicitly log and reject everything else. #------------------------------------------------------------------------------ # Use REJECT instead of REJECTLOG if you don't need/want logging. -$IPTABLES -A INPUT -j REJECTLOG -$IPTABLES -A OUTPUT -j REJECTLOG +$IPTABLES -A INPUT -j DROPLOG +$IPTABLES -A OUTPUT -j DROPLOG $IPTABLES -A FORWARD -j REJECTLOG # Counter hits -for i in $NIC_NAME -do - iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set - iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP -done +#for i in $NIC_NAME +#do +# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set +# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP +#done #------------------------------------------------------------------------------ # Testing the firewall. @@ -273,5 +319,4 @@ done # Exit gracefully. #------------------------------------------------------------------------------ - - exit 0 +exit 0 diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 5a2ffe8..568455a 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -1,25 +1,25 @@ -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *security -:INPUT ACCEPT [3624:2121853] +:INPUT ACCEPT [4559:2307887] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [3590:999020] +:OUTPUT ACCEPT [4459:962215] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *raw -:PREROUTING ACCEPT [5432:2268406] -:OUTPUT ACCEPT [3623:1011362] +:PREROUTING ACCEPT [18446:3412851] +:OUTPUT ACCEPT [4467:962535] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *nat -:PREROUTING ACCEPT [1808:146553] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [322:28410] -:POSTROUTING ACCEPT [289:16068] +:PREROUTING ACCEPT [13936:1107904] +:INPUT ACCEPT [49:2940] +:OUTPUT ACCEPT [504:40037] +:POSTROUTING ACCEPT [504:40037] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -27,21 +27,18 @@ COMMIT :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] +:OUTPUT DROP [0:0] :ACCEPTLOG - [0:0] :DROPLOG - [0:0] :REJECTLOG - [0:0] :RELATED_ICMP - [0:0] :SYN_FLOOD - [0:0] --A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP --A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource --A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP --A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource +-A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" -A INPUT -p icmp -j DROP @@ -50,7 +47,6 @@ COMMIT -A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A INPUT -p icmp -j DROPLOG --A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP @@ -68,31 +64,41 @@ COMMIT -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A INPUT -f -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT --A INPUT -j REJECTLOG +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +-A INPUT -f -j DROPLOG +-A INPUT -j DROPLOG -A FORWARD -p icmp -f -j DROPLOG -A FORWARD -p icmp -j DROPLOG -A FORWARD -m state --state INVALID -j DROP -A FORWARD -j REJECTLOG +-A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -f -j DROPLOG -A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP -A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A OUTPUT -p icmp -j DROPLOG --A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state INVALID -j DROP --A OUTPUT -j REJECTLOG --A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -j DROPLOG +-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A ACCEPTLOG -j ACCEPT --A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A DROPLOG -j DROP --A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset -A REJECTLOG -j REJECT --reject-with icmp-port-unreachable -A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT @@ -102,4 +108,4 @@ COMMIT -A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN -A SYN_FLOOD -j DROP COMMIT -# Completed on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index b60d3e6..d17c0c6 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -2,9 +2,13 @@ # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # -kernel.printk = 15 1 1 4 -kernel.randomize_va_space = 1 -kernel.shmmax = 500000000 +kernel.printk = 7 1 1 4 +kernel.randomize_va_space = 2 +# Shared Memory +#kernel.shmmax = 500000000 +# Total allocated file handlers that can be allocated +# fs.file-nr= +vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 @@ -16,14 +20,13 @@ kernel.pid_max = 65536 # Ioperm and iopl can be used to modify the running kernel. # Unfortunately, some programs need this access to operate properly, # the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure # that hwclock operates correctly. -# +# # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. -#kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.disable_priv_io = 0 # If you say Y here, attempts to bruteforce exploits against forking @@ -36,13 +39,13 @@ kernel.grsecurity.disable_priv_io = 0 # In the suid/sgid case, the attempt is logged, the user has all their # existing instances of the suid/sgid binary terminated and will # be unable to execute any suid/sgid binaries for 15 minutes. -# +# # It is recommended that you also enable signal logging in the auditing # section so that logs are generated when a process triggers a suspicious # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. -#kernel.grsecurity.deter_bruteforce = 1 +kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections @@ -58,7 +61,7 @@ fs.file-max = 65535 # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 1 +kernel.grsecurity.linking_restrictions = 0 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -72,7 +75,7 @@ kernel.grsecurity.linking_restrictions = 1 # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. -#kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.enforce_symlinksifowner = 0 #kernel.grsecurity.symlinkown_gid = 33 # if you say Y here, users will not be able to write to FIFOs they don't @@ -80,7 +83,7 @@ kernel.grsecurity.linking_restrictions = 1 # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. -#kernel.grsecurity.fifo_restrictions = 1 +kernel.grsecurity.fifo_restrictions = 0 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -115,14 +118,14 @@ kernel.grsecurity.chroot_caps = 1 # against another published method of breaking a chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_deny_chmod" is # created. -kernel.grsecurity.chroot_deny_chmod = 1 +kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. -kernel.grsecurity.chroot_deny_chroot = 1 +kernel.grsecurity.chroot_deny_chroot = 1 # If you say Y here, a well-known method of breaking chroots by fchdir'ing # to a file descriptor of the chrooting process that points to a directory @@ -182,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1 # directory, so that `.' can be outside the tree rooted at # `/'. In particular, the super-user can escape from a # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# +# # It is recommended that you say Y here, since it's not known to break # any software. If the sysctl option is enabled, a sysctl option with # name "chroot_enforce_chdir" is created. kernel.grsecurity.chroot_enforce_chdir = 1 # If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, # getsid, or view any process outside of the chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_findtask" is # created. @@ -212,7 +215,7 @@ kernel.grsecurity.chroot_restrict_nice = 1 # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. -kernel.grsecurity.audit_group = 0 +kernel.grsecurity.audit_group = 0 # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to @@ -228,67 +231,64 @@ kernel.grsecurity.audit_group = 0 # name "exec_logging" is created. # WARNING: This option when enabled will produce a LOT of logs, especially # on an active system. -kernel.grsecurity.exec_logging = 0 +kernel.grsecurity.exec_logging = 0 # If you say Y here, all attempts to overstep resource limits will # be logged with the resource name, the requested size, and the current # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. -#kernel.grsecurity.resource_logging = 1 -kernel.grsecurity.resource_logging = 0 +kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain # applications (eg. djb's daemontools) are installed on the system, and # is therefore left as an option. If the sysctl option is enabled, a # sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 +kernel.grsecurity.chroot_execlog = 0 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -#kernel.grsecurity.audit_ptrace = 1 -kernel.grsecurity.audit_ptrace = 0 +kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -kernel.grsecurity.audit_chdir = 0 +kernel.grsecurity.audit_chdir = 0 # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. -#kernel.grsecurity.audit_mount = 1 -kernel.grsecurity.audit_mount = 0 +kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. -kernel.grsecurity.signal_logging = 0 +kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. #kernel.grsecurity.forkfail_logging = 1 -kernel.grsecurity.forkfail_logging = 0 +kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. -#kernel.grsecurity.timechange_logging = 1 +kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when # denied by the PAX_MPROTECT feature. This feature will also # log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. -#kernel.grsecurity.rwxmap_logging = 1 +kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections @@ -305,14 +305,14 @@ kernel.grsecurity.forkfail_logging = 0 kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms -kernel.kptr_restrict = 1 +#kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you # have been using the RBAC system, this option has already been # enabled for several years for all users, with the ability to make # fine-grained exceptions. -# +# # This option only affects the ability of non-root users to ptrace # processes that are not a descendent of the ptracing process. # This means that strace ./binary and gdb ./binary will still work, @@ -327,7 +327,7 @@ kernel.grsecurity.harden_ptrace = 1 # prevent infoleaking of their contents. This option adds # consistency to the use of that file mode, as the binary could normally # be read out when run without privileges while ptracing. -# +# # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" # is created. kernel.grsecurity.ptrace_readexec = 1 @@ -341,7 +341,7 @@ kernel.grsecurity.ptrace_readexec = 1 # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. -#kernel.grsecurity.consistent_setxid = 1 +kernel.grsecurity.consistent_setxid = 0 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -359,7 +359,7 @@ kernel.grsecurity.ptrace_readexec = 1 # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 1 +kernel.grsecurity.harden_ipc = 0 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -367,7 +367,7 @@ kernel.grsecurity.harden_ipc = 1 # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 101 +kernel.grsecurity.tpe_gid = 4 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -386,10 +386,11 @@ kernel.grsecurity.tpe_invert = 1 # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. -kernel.grsecurity.tpe_restrict_all = 0 +kernel.grsecurity.tpe_restrict_all = 1 + +kernel.grsecurity.harden_tty = 1 -#kernel.grsecurity.harden_tty = 1 # # Network Protections # @@ -418,7 +419,7 @@ net.ipv6.conf.lo.disable_ipv6 = 1 #net.ipv6.conf.default.dad_transmits = 0 #net.ipv6.conf.default.max_addresses = 0 -# Avoid a smurf attack +# Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages @@ -447,10 +448,6 @@ net.ipv4.conf.default.log_martians = 1 ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 -# No source routed packets here -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.default.accept_source_route = 0 - ## sets the kernels reverse path filtering mechanism to value 1(on) ## will do source validation of the packet's recieved from all the interfaces on the machine ## protects from attackers that are using ip spoofing methods to do harm @@ -459,16 +456,23 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 + # Make sure no one can alter the routing tables +# Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 +# No source routed packets here +# Discard packets with source routes, ip spoofing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 -# Act as a router, necessary for Access Point -net.ipv4.ip_forward = 1 -net.ipv4.conf.all.send_redirects = 1 -net.ipv4.conf.default.send_redirects = 1 + +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +net.ipv4.ip_forward = 0 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 @@ -477,15 +481,29 @@ net.ipv4.ip_local_port_range = 2000 65000 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 +# Disable proxy_arp +net.ipv4.conf.default.proxy_arp = 0 +net.ipv4.conf.all.proxy_arp = 0 + +# Disable bootp_relay +net.ipv4.conf.default.bootp_relay = 0 +net.ipv4.conf.all.bootp_relay = 0 + +# Decrease TCP fin timeout +net.ipv4.tcp_fin_timeout = 30 +# Decrease TCP keep alive time +net.ipv4.tcp_keepalive_time = 1800 +# Sen SynAck retries to 3 +net.ipv4.tcp_synack_retries = 3 # If you say Y here, neither TCP resets nor ICMP # destination-unreachable packets will be sent in response to packets # sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature # makes a host more resilient to DoS attacks and reduces network # visibility against scanners. -# +# # The blackhole feature as-implemented is equivalent to the FreeBSD # blackhole feature, as it prevents RST responses to all packets, not # just SYNs. Under most application behavior this causes no @@ -498,7 +516,7 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # can spend in LAST_ACK state. If you're using haproxy and not # all servers it connects to have this option enabled, consider # disabling this feature on the haproxy host. -# +# # If the sysctl option is enabled, two sysctl options with names # "ip_blackhole" and "lastack_retries" will be created. # While "ip_blackhole" takes the standard zero/non-zero on/off @@ -506,14 +524,14 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. -#kernel.grsecurity.ip_blackhole = 1 -#kernel.grsecurity.lastack_retries = 4 +kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. -#kernel.grsecurity.socket_all = 1 +kernel.grsecurity.socket_all = 0 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID @@ -527,13 +545,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_client = 1 +kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. -#kernel.grsecurity.socket_client_gid = 203 +kernel.grsecurity.socket_client_gid = 15 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -541,13 +559,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_server = 1 +kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. -#kernel.grsecurity.socket_server_gid = 204 +kernel.grsecurity.socket_server_gid = 99 # # Physical Protections @@ -559,17 +577,15 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # device insertion will be logged. This option is intended to be # used against custom USB devices designed to exploit vulnerabilities # in various USB device drivers. -# +# # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. -#kernel.grsecurity.deny_new_usb = 0 +kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # -#kernel.grsecurity.grsec_lock = 1 - - +kernel.grsecurity.grsec_lock = 0 # End of file diff --git a/core/dash.html b/core/dash.html index ed6dbab..a926ce7 100644 --- a/core/dash.html +++ b/core/dash.html @@ -2,13 +2,13 @@ - 2.4.1. Dash + 2.5.1. Dash Core OS Index -

      2.4.1. Dash

      +

      2.5.1. Dash

      By default dash installed as /bin/sh, if not relink;

      diff --git a/core/exim.html b/core/exim.html index c1fd494..e922789 100644 --- a/core/exim.html +++ b/core/exim.html @@ -2,24 +2,33 @@ - 2.5. Exim + 2.6. Exim Core OS Index -

      2.5. Exim

      +

      2.6. Exim

      -

      2.5.1. Exim Configuration

      +

      2.6.1. Exim Configuration

      Exim come with default configuration we will change to mach system settings /etc/exim/exim.conf.

      -

      2.5.2. Certificates

      + 
      +        $ sudo prt-get depinst mailx
+
      -

      Create private key, this example issues a certificate to - core.privat-server.net, if you wish get a subdomain from - afraid.org - pointing to your public ip. -

      +

      2.6.2. Certificates

      + +

      Exim creates a key for you if you just copy exim.conf and start daemon;

      + + 
      +        # cp /home/silvino/data/git/c9/c9-doc/core/conf/exim/exim.conf /etc/exim/exim.conf
+        # sh /etc/rc.d/exim start
+        SSL certificate /etc/ssl/certs/exim.crt with key /etc/ssl/keys/exim.key for host c9.core created
+        #
+
      + +

      Manually create a private key;

       	$ sudo mkdir /etc/ssl/keys
@@ -55,7 +64,7 @@
 	# chmod 644 /etc/ssl/certs/exim.cert
      -

      2.5.3. Aliases

      +

      2.6.3. Aliases

      Exim come with default aliases we will change to mach system settings /etc/exim/aliases;

      @@ -100,7 +109,7 @@ #### -

      2.5.4. Smarthost

      +

      2.6.4. Smarthost

      Tony Finch publish a nice configuration reference. @@ -124,7 +133,7 @@ # exim -bt bob@remote.com -

      2.5. Fetchmail

      +

      2.6. Fetchmail

               $ prt-get depinst fetchmail
diff --git a/core/grsecurity.html b/core/grsecurity.html
new file mode 100644
index 0000000..cda9bfb
--- /dev/null
+++ b/core/grsecurity.html
@@ -0,0 +1,85 @@
+
+
+    
+        
+        Grsecurity
+    
+    
+
+        Tools Index
+
+        
      Grsecurity
      
+
+        
      Grsecurity utilities are installed and configured in
+        hardening, kernel witch grsecurity
+        patch is installed using 
+        linux port.
      
+
+
+        
      Special Groups
      
+        
      +        getent group tpe >/dev/null || groupadd -g 200 tpe
+        getent group audit >/dev/null || groupadd -g 201 audit
+        getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
+        getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
+        getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
+        
      
+
+        
      Pax
      
+        
+        
      Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.
      
+
+        /usr/bin/grub-script-check
+        /usr/sbin/grub-probe
+        /usr/sbin/grub-mkdevicemap
+
+        
      Gradm
      
+
+        
      Gradm is grsecurity access control lists administration utility. Gradm
+        have a 
+        learning mode
+        per-subject, per-role or system-wide. Learning mode gather information that
+        RBAC system supports, it reduces policy size, increase readability and enforces
+        that is configurable. Protected resources can be added to /etc/grsec/learn_cong
+        to learning system.
      
+
+        
      Entering in learning mode;
      
+
+        
      +        # gradm -F -L /etc/grsec/learning.log
+        
      
+
+        
      To perform administrative tasks while system learning is running,
+        authenticate to admin role;
      
+
+        
      +        # gradm -a admin
+        
      
+
+        
      When learning system have gather sufficient data disable RBAC system;
      
+
+        
      +        # gradm -D
+        
      
+
+        
      Now that RBAC is disable data collected can be used to generate ACLs;
      
+
+        
      +        # gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy
+        
      
+
+        
      Start RBAC with policy;
      
+
+        
      +        # gradm -E
+        
      
+
+        Tools Index
+        
      This is part of the c9-doc Manual.
+        Copyright (C) 2017
+        c9 team.
+        See the file Gnu Free Documentation License
+        for copying conditions.
      
+
+    
+
diff --git a/core/hardening.html b/core/hardening.html
new file mode 100644
index 0000000..478c911
--- /dev/null
+++ b/core/hardening.html
@@ -0,0 +1,197 @@
+
+
+    
+        
+        Hardening
+    
+    
+
+        Tools Index
+
+        
      Hardening
      
+
+        
      Kernel in ports have upstream linux kernel and
+        grsecurity patch, it should break some functionality
+        for the user and pkgmk user if tpe protection is active.
      
+
+        
      +        $ sudo prt-get depinst gradm paxtest paxd checksec lynis
+        
      
+
+        
      Check grsecurity on how to setup
+        kernel, pax and gradm.
      
+
+        
      Lynis tries to give system overall configuration, without
+        changing default profile run irrelevant tests. Create a lynis
+        profile by coping default one and run lynis;
      
+
+        
      +        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
+        $ sudo lynis configure settings color=yes
+        $ sudo lynis show settings
+        $ sudo lynis show profile
+        
      
+
+        
      +        $ lynis audit system > lynis_report
+        $ mv /tmp/lynis.log .
+        $ mv /tmp/lynis-report.dat .
+        
      
+
+        
      Add unnecessary tests to profile to have less noise.
      
+
+        
      Rebuild Toolchain
      
+
+        
      Add flags to pkgmk configuration and change specific ports that
+        don't build with hardening flags. More information about
+        arch security,
+        gentoo security,
+        gcc instrumentation-options
+        and glibc
+        configuring and compiling. Edit /etc/pkgmk.conf;
      
+
+        
      +        export CPPFLAGS="-D_FORTIFY_SOURCE=2"
+        export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS="-z relro"
+        
      
+
+        
      Core
      
+
+        
      Ports in core collection that need to be changed in order
+        to build with pkgmk harden configuration.
      
+
+        
      Glibc
      
+
+        
+
+        
      +        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+        
      
+
+        
      +        ../$name-${version:0:4}/configure --prefix=/usr \
+                --libexecdir=/usr/lib \
+                --with-headers=$PKG/usr/include \
+                --enable-kernel=3.12 \
+                --enable-add-ons \
+                --enable-static-nss \
+                --disable-profile \
+                --disable-werror \
+                --without-gd \
+                --enable-obsolete-rpc \
+                --enable-multi-arch \
+                --enable-stackguard-randomization \
+                --enable-stack-protector=strong
+        
      
+
+        
      Gcc
      
+
+        
+
+        
      +        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+        
      
+
+        
      libcap
      
+
+        
+
+        
      bzip2
      
+
+        
+
+        
      hdparm
      
+
+        
+
+        
      Opt
      
+
+        
      lsof
      
+
+        
+
+        
      python
      
+
+        
+
+        
      zip
      
+
+        
+
+        
      glew
      
+
+        
+
+        
      dmenu
      
+
+        
+
+        
      Boost
      
+
+        
+
+        
      +        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+        
      
+
+        
      Contrib
      
+
+        
      gsl
      
+
+        
+
+
+        Tools Index
+        
      This is part of the c9-doc Manual.
+        Copyright (C) 2017
+        c9 team.
+        See the file Gnu Free Documentation License
+        for copying conditions.
      
+
+    
+
diff --git a/core/index.html b/core/index.html
index 6859376..97376f4 100644
--- a/core/index.html
+++ b/core/index.html
@@ -79,41 +79,46 @@
                     
    • 2.1.5. Sysctl
      •
    • - -
  • 2.2. Network +
  • 2.2. Hardening + +
    • +
  • 2.3. Network
    • -
  • 2.3. Package Management +
  • 2.4. Package Management
    • -
  • 2.4. Terminals and shells +
  • 2.5. Terminals and shells
    • -
  • 2.5. Exim +
  • 2.6. Exim
    • diff --git a/core/linux.html b/core/linux.html index 903d9e2..888b916 100644 --- a/core/linux.html +++ b/core/linux.html @@ -164,9 +164,8 @@ kernel.printk = 7 1 1 4 kernel.randomize_va_space = 2 - kernel.kptr_restrict = 2 # Shared Memory - kernel.shmmax = 500000000 + #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 @@ -188,7 +187,6 @@ # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. - #kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.disable_priv_io = 0 # If you say Y here, attempts to bruteforce exploits against forking @@ -207,7 +205,7 @@ # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. - #kernel.grsecurity.deter_bruteforce = 1 + kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections @@ -223,7 +221,7 @@ # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. - kernel.grsecurity.linking_restrictions = 1 + kernel.grsecurity.linking_restrictions = 0 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -237,7 +235,7 @@ # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. - #kernel.grsecurity.enforce_symlinksifowner = 1 + kernel.grsecurity.enforce_symlinksifowner = 0 #kernel.grsecurity.symlinkown_gid = 33 # if you say Y here, users will not be able to write to FIFOs they don't @@ -245,7 +243,7 @@ # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. - #kernel.grsecurity.fifo_restrictions = 1 + kernel.grsecurity.fifo_restrictions = 0 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -280,14 +278,14 @@ # against another published method of breaking a chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_deny_chmod" is # created. - kernel.grsecurity.chroot_deny_chmod = 1 + kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking # out of a chroot jail and should not be allowed. If the sysctl # option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. - kernel.grsecurity.chroot_deny_chroot = 1 + kernel.grsecurity.chroot_deny_chroot = 1 # If you say Y here, a well-known method of breaking chroots by fchdir'ing # to a file descriptor of the chrooting process that points to a directory @@ -400,7 +398,7 @@ # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. - #kernel.grsecurity.resource_logging = 1 + kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain @@ -412,8 +410,7 @@ # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. - #kernel.grsecurity.audit_ptrace = 1 - kernel.grsecurity.audit_ptrace = 0 + kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option @@ -423,27 +420,26 @@ # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. - #kernel.grsecurity.audit_mount = 1 - kernel.grsecurity.audit_mount = 0 + kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. - kernel.grsecurity.signal_logging = 0 + kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. #kernel.grsecurity.forkfail_logging = 1 - kernel.grsecurity.forkfail_logging = 0 + kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. - #kernel.grsecurity.timechange_logging = 1 + kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when @@ -452,7 +448,7 @@ # is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. - #kernel.grsecurity.rwxmap_logging = 1 + kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections @@ -469,7 +465,7 @@ kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms - kernel.kptr_restrict = 1 + #kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you @@ -505,7 +501,7 @@ # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. - #kernel.grsecurity.consistent_setxid = 1 + kernel.grsecurity.consistent_setxid = 0 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -523,7 +519,7 @@ # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. - kernel.grsecurity.harden_ipc = 1 + kernel.grsecurity.harden_ipc = 0 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -531,7 +527,7 @@ # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 - kernel.grsecurity.tpe_gid = 101 + kernel.grsecurity.tpe_gid = 4 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -550,10 +546,11 @@ # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. - kernel.grsecurity.tpe_restrict_all = 0 + kernel.grsecurity.tpe_restrict_all = 1 - #kernel.grsecurity.harden_tty = 1 + kernel.grsecurity.harden_tty = 1 + # # Network Protections # @@ -687,14 +684,14 @@ # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. - #kernel.grsecurity.ip_blackhole = 1 - #kernel.grsecurity.lastack_retries = 4 + kernel.grsecurity.ip_blackhole = 1 + kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. - #kernel.grsecurity.socket_all = 1 + kernel.grsecurity.socket_all = 0 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID @@ -708,13 +705,13 @@ # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. - #kernel.grsecurity.socket_client = 1 + kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. - #kernel.grsecurity.socket_client_gid = 203 + kernel.grsecurity.socket_client_gid = 15 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -722,13 +719,13 @@ # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. - #kernel.grsecurity.socket_server = 1 + kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. - #kernel.grsecurity.socket_server_gid = 204 + kernel.grsecurity.socket_server_gid = 99 # # Physical Protections @@ -744,12 +741,12 @@ # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. - #kernel.grsecurity.deny_new_usb = 0 + kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # - #kernel.grsecurity.grsec_lock = 1 + kernel.grsecurity.grsec_lock = 0 # End of file @@ -757,10 +754,10 @@ Core OS Index

    This is part of the c9-doc Manual. -Copyright (C) 2017 -c9 team. -See the file Gnu Free Documentation License -for copying conditions.

    + Copyright (C) 2017 + c9 team. + See the file Gnu Free Documentation License + for copying conditions.

    diff --git a/core/network.html b/core/network.html index bcf52f5..4f1f20a 100644 --- a/core/network.html +++ b/core/network.html @@ -2,12 +2,12 @@ - 2. Network + 2.3. Network Core OS Index -

    2. Network

    +

    2.3. Network

    Operation of the network can be handle with init scripts;

    @@ -49,7 +49,7 @@ described scripts then proceed to update system.

    -

    2.2.1. Resolver

    +

    2.3.1. Resolver

    This example will use Chaos Computer Club @@ -65,7 +65,7 @@ # chattr +i /etc/resolv.conf -

    2.2.2. Static IP

    +

    2.3.2. Static IP

    Current example of /etc/rc.d/net;

    @@ -112,7 +112,7 @@ # ip route add default via ${GW} -

    2.2.3. Iptables

    +

    2.3.3. Iptables

    For more information about iptables read arch wiki. @@ -149,7 +149,7 @@

    -

    2.2.4. Wpa and dhcpd

    +

    2.3.4. Wpa and dhcpd

    There is more information on Wiki Wifi Start Scripts and @@ -167,7 +167,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 -

    2.2.4.1. Wpa Supplicant

    +

    2.3.4.1. Wpa Supplicant

    Configure wpa supplicant edit;

    @@ -197,7 +197,7 @@ init script to auto load wpa configuration and dhcp client.

    -

    2.2.4.2. Wpa Cli

    +

    2.3.4.2. Wpa Cli

             # wpa_cli
diff --git a/core/package.html b/core/package.html
index 3c59669..327029e 100644
--- a/core/package.html
+++ b/core/package.html
@@ -2,13 +2,13 @@
 
     
         
-        2.3. Package Management
+        2.4. Package Management
     
     
 
         Core OS Index
 
-        
    2.3. Package Management
    
+        
    2.4. Package Management
    
 
         
    For more information read crux handbook Package management
         front-end:
@@ -57,7 +57,7 @@
         $ prt-get depinst prt-utils prt-get-bashcompletion
    -

    2.3.1. Update System

    +

    2.4.1. Update System

    Before build software get latest version of port collections;

    @@ -87,7 +87,7 @@ $ prt-get update -fr $(revdep) -

    2.3.2. Install port and dependencies

    +

    2.4.2. Install port and dependencies

    Installing using prt-get tool;

    @@ -111,7 +111,7 @@

    If you user pkgmk and pkgadd allways check if README, pre and post instal files exist.

    -

    2.3.3. Ports collections

    +

    2.4.3. Ports collections

    Clone this documentation;

    @@ -146,7 +146,7 @@ $ sudo ports -u 6c37 -

    2.3.4. Show port information

    +

    2.4.4. Show port information

             $ prt-get info port_name
@@ -164,13 +164,13 @@
         $ pkginfo -o filename
    -

    2.3.5. Show port dependencies

    +

    2.4.5. Show port dependencies

             $ prt-get depends port_name
    -

    2.3.6. Print information

    +

    2.4.6. Print information

    Example how to get ports installed from contrib. Maybe there is a "cleaner" way to this, for now is ok;

    diff --git a/core/ports.html b/core/ports.html index 98ccbba..9662e43 100644 --- a/core/ports.html +++ b/core/ports.html @@ -23,8 +23,8 @@ # useradd -U -M -d /usr/ports -s /bin/false pkgmk -

    You can add your self to group pkgmk, Members of this group will - not be under tpe protection.

    +

    You can add your self to group pkgmk. Check if members of this + group are under tpe protection.

             # usermod -a -G pkgmk c9admin
@@ -62,7 +62,7 @@
         
    Edit fstab, change uid to id of pkgmk, this example 102;
    
 
         
    -        pkgmk /usr/ports/work tmpfs size=30G,uid=102,defaults 0 0
+        pkgmk /usr/ports/work tmpfs size=30G,uid=102,defaults,mode=0750 0 0
         
    
 
 
@@ -86,8 +86,6 @@
         export CFLAGS="-O2 -march=native -mtune=native"
    -

    "-protector-strong" which only insert stack canaries in fuctions where overflow might actually happen

    -

    Discover number of cores/cpus to hard code -j option.

    diff --git a/core/reboot.html b/core/reboot.html
index 7bc22ea..23e2996 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -33,13 +33,22 @@
 
         
    1.4.1. Linux Kernel
    
 
-        
    Core ports have two kernels, linux-libre and linux-blob.
+        
    Core ports have two
+        linux kernels,
+        linux-libre and
+        linux-blob.
         Port linux-libre kernel is a true source based kernel that
         respects your freedoms, is x86_64 but not generic configured,
         select modules (drivers) for your hardware, for example
         correct graphic driver and disk. Port linux-blob is dangerous,
         contain blobs (from bad corporations).
    
 
+        
    Addition to upstream kernel is applied a patch with
+        more cpu families gcc optimizations and grsecurity patch.
+        Check tpe protection configuration on
+        sysctl if breaks functionality
+        during initial configuration.
    
+
         
             # cd /usr/ports/c9-ports/linux-libre
         # pkgmk -d
diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh
index 01e3bd1..0e0a720 100644
--- a/core/scripts/setup-install.sh
+++ b/core/scripts/setup-install.sh
@@ -270,7 +270,7 @@ setup_ports() {
         PATH=/bin:/usr/bin:/sbin:/usr/sbin \
         /bin/bash -c "id pkgmk >> /etc/fstab"
 
-    echo "pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0    0" >> $CHROOT/etc/fstab
+    echo "pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults,mode=0750 0    0" >> $CHROOT/etc/fstab
 
     vim $CHROOT/etc/fstab
 
diff --git a/core/tmux.html b/core/tmux.html
index d1ab587..fe494b5 100644
--- a/core/tmux.html
+++ b/core/tmux.html
@@ -2,13 +2,13 @@
 
     
         
-        2.4.3. Tmux
+        2.5.3. Tmux
     
 
     
 
         Core OS Index
-        
    2.4.3. Tmux
    
+        
    2.5.3. Tmux
    
 
         
    Install tmux, improves cli work efficiency;
    
 
@@ -79,7 +79,7 @@
         key	}	swap pane
         
    
 
-        
    2.4.3.1. Copy paste
    
+        
    2.5.3.1. Copy paste
    
 
         
    This instructions are valid if tmux.conf file discribed
         in this document is used;
    
diff --git a/core/tty-terminal.html b/core/tty-terminal.html
index 47f7bf0..1abf15e 100644
--- a/core/tty-terminal.html
+++ b/core/tty-terminal.html
@@ -2,13 +2,13 @@
 
     
         
-        2.4. Consoles, terminals and shells
+        2.5. Consoles, terminals and shells
     
     
 
         Core OS Index
 
-        
    2.4. Consoles, terminals and shells
    
+        
    2.5. Consoles, terminals and shells
    
 
         
    
             
    Consoles
    
diff --git a/tools/conf/etc/rc.d/dnscrypt-proxy b/tools/conf/etc/rc.d/dnscrypt-proxy
index 0874fa6..db8cd77 100755
--- a/tools/conf/etc/rc.d/dnscrypt-proxy
+++ b/tools/conf/etc/rc.d/dnscrypt-proxy
@@ -12,7 +12,7 @@
 # Authors: https://github.com/simonclausen/dnscrypt-autoinstall/graphs/contributors
 # Project site: https://github.com/simonclausen/dnscrypt-autoinstall
 
-USER=nobody
+USER=net
 PATH=/usr/sbin:/usr/bin:/sbin:/bin
 DAEMON=/usr/sbin/dnscrypt-proxy
 NAME=dnscrypt-proxy
@@ -24,7 +24,8 @@ PKEY1=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A
 case "$1" in
   start)
     echo "Starting $NAME"
-    $DAEMON --daemonize --ephemeral-keys --user=nobody --local-address=127.0.0.1:40 \
+    $DAEMON --daemonize --ephemeral-keys --user=nobody \
+	    --local-address=127.0.0.1:40 \
 	    --resolver-address=$ADDRESS3 \
 	    --provider-name=$PNAME1 \
 	    --provider-key=$PKEY3 \
diff --git a/tools/dnsmasq.html b/tools/dnsmasq.html
index 2aa7b82..720979b 100644
--- a/tools/dnsmasq.html
+++ b/tools/dnsmasq.html
@@ -14,6 +14,11 @@
         censorship there for respect your freedom and privacy.
         Read Tor Dns Resolver for more information.
    
 
+        
    +        $ sudo useradd -M -r -s /bin/false -g net net
+        
    
+
+
         
    1. Dnscrypt
    
 
         
    @@ -28,7 +33,7 @@
         nobody user. Basic usage example;
    
 
         
    -        $ sudo -u nobody  dnscrypt-proxy --daemonize --resolver-name=<resolver name>
+        $ sudo -u net  dnscrypt-proxy --daemonize --resolver-name=<resolver name>
         
    
 
         
    2. Dnsmasq
    
diff --git a/tools/gitolite.html b/tools/gitolite.html
index 94abda0..ab1ad3a 100644
--- a/tools/gitolite.html
+++ b/tools/gitolite.html
@@ -22,8 +22,7 @@
         
    Create user and home directory;
    
 
         
    -        # mkdir -p /srv/gitolite
-        # useradd -r -s /bin/bash -m -d /srv/gitolite gitolite
+        # useradd -r -s /bin/bash -U -m -d /srv/gitolite gitolite
         # chown gitolite:gitolite /srv/gitolite
         
    
 
diff --git a/tools/index.html b/tools/index.html
index da1cd40..2f84114 100644
--- a/tools/index.html
+++ b/tools/index.html
@@ -68,12 +68,6 @@
         
    System Administration
    
 
         
      
-            
    • Hardening
-                
-            
      • 
             
    • Network Tools
                 
        
                     
      • Dnscrypt and Dnsmasq
        • 
diff --git a/tools/mutt.html b/tools/mutt.html
index ef7cdbd..5c72e0c 100644
--- a/tools/mutt.html
+++ b/tools/mutt.html
@@ -162,7 +162,15 @@
 
         
        2.1. System Email
        
 
-        
        Content of .mutt/system;
        
+        
        Check and point enviroment mail variable to new local maildir;
        
+
+        
        +        $ echo "MAIL=$HOME/.mail/" >> ~/.bashrc
+        $ source ~/.bashrc
+        $ env | grep MAIL
+        
        
+
+        
        Content of .mutt/system;
        
 
         
                 color status green default
diff --git a/tools/qemu.html b/tools/qemu.html
index 1c58e49..c914d74 100644
--- a/tools/qemu.html
+++ b/tools/qemu.html
@@ -43,22 +43,17 @@
         this describes how to create a qcow2 type;
        
 
         
        -        $ qemu-img create -f qcow2 crux-img.qcow2 15G
+        $ qemu-img create -f qcow2 crux-img.qcow2 20G
         
        
 
-        
        You can mount disk image;
        
+        
        Qemu disk images can be treated as regular disks using
+        qemu disk network block device server;
        
 
         
                 $ sudo modprobe nbd
         $ sudo qemu-nbd -c /dev/nbd0 /crux-img.qcow2
         
        
 
-        
        To disconnect image disk (ndb);
        
-
-        
        -        $ sudo qemu-nbd -d /dev/nbd0
-        
        
-
         
        Information about preparing
         partitions
         and storage administration.
@@ -100,6 +95,13 @@
         # mount $BLK_VAR $CHROOT/var
         
        
 
+        
        Before disconnecting image, clean dev mappings;
        
+
+        
        +        $ sudo kpartx -d /dev/nbd0
+        $ sudo qemu-nbd -d /dev/nbd0
+        
        
+
         
        2. Network
        
 
         
        Network configuration;
        
diff --git a/tools/x.html b/tools/x.html
index e01aaca..ad5ea6d 100644
--- a/tools/x.html
+++ b/tools/x.html
@@ -40,6 +40,12 @@
         $ prt-get search xorg-font-bh | xargs sudo prt-get depinst
         
    
 
+        
    From 6c37 collection;
    
+
+        
    +        $ prt-get depinst otf-sourcecode
+        
    
+
         
    Configure
    
 
         
    Example of /etc/skel/.xinitrc;
    
@@ -170,24 +176,26 @@
 
         
    Window Managers
    
 
-        
    Dwm
    
 
         
    -        $ sudo prt-get depinst dmenu \
-            dwm \
-            spectrwm \
+        $ sudo prt-get depinst \
+            alsa-utils \
+            libdrm \
+            mesa3d \
+            ffmpeg \
+            gstreamer \
+            gstreamer-vaapi \
+            gst-plugins-base \
+            gst-plugins-good \
+            adwaita-icon-theme \
+            dmenu \
             st \
             conky \
             dillo \
-            adwaita-icon-theme \
+            spectrwm \
             gparted \
             gimp \
             libreoffice \
-            ffmpeg \
-            gstreamer \
-            gstreamer-vaapi \
-            gst-plugins-base \
-            gst-plugins-good \
             epiphany
         
    
 
-- 
cgit 1.4.1-2-gfad0


From 9069537d8cfe308836864ef0be7c2a1e359d5a4b Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Mon, 27 Feb 2017 21:56:53 +0000
Subject: core and tools revision

---
 core/conf/sysctl.conf                              |  67 ++--
 core/configure.html                                |   7 +-
 core/grsecurity.html                               | 247 +++++++++++-
 core/hardening.html                                |  15 +-
 core/index.html                                    |  10 +-
 core/linux.html                                    | 238 +++++++++--
 core/ports/linux-blob/.footprint                   |  95 ++---
 core/ports/linux-blob/.md5sum                      |  10 +-
 core/ports/linux-blob/Pkgfile                      |  17 +-
 core/ports/linux-blob/config-c9                    | 444 +++++++++++++--------
 core/ports/linux-blob/port-blob-grsecurity.patch   |   8 +-
 core/ports/linux-blob/port-blob-make.patch         |   2 +-
 core/ports/linux-libre/.footprint                  |  95 ++---
 core/ports/linux-libre/.md5sum                     |  10 +-
 core/ports/linux-libre/Pkgfile                     |  15 +-
 core/ports/linux-libre/config-c9                   | 444 +++++++++++++--------
 core/ports/linux-libre/port-libre-grsecurity.patch |   4 +-
 core/ports/linux-libre/port-libre-make.patch       |   2 +-
 core/reboot.html                                   |  11 +-
 core/samhain.html                                  | 265 ++++++++++++
 core/sysctl.html                                   |  35 +-
 core/toolchain.html                                |   4 +-
 tools/conf/etc/asound.conf                         |   1 +
 tools/x.html                                       |   6 +
 24 files changed, 1452 insertions(+), 600 deletions(-)
 create mode 100644 core/samhain.html
 create mode 100644 tools/conf/etc/asound.conf

(limited to 'core/conf')

diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index d17c0c6..b0972e2 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -20,14 +20,14 @@ kernel.pid_max = 65536
 #  Ioperm and iopl can be used to modify the running kernel.
 #  Unfortunately, some programs need this access to operate properly,
 #  the most notable of which are XFree86 and hwclock.  hwclock can be
-#  remedied by having RTC support in the kernel, so real-time
-#  clock support is enabled if this option is enabled, to ensure
+#  remedied by having RTC support in the kernel, so real-time 
+#  clock support is enabled if this option is enabled, to ensure 
 #  that hwclock operates correctly.
-#
+#  
 #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
 #  you may not be able to boot into a graphical environment with this
 #  option enabled.  In this case, you should use the RBAC system instead.
-kernel.grsecurity.disable_priv_io = 0
+kernel.grsecurity.disable_priv_io = 1
 
 #  If you say Y here, attempts to bruteforce exploits against forking
 #  daemons such as apache or sshd, as well as against suid/sgid binaries
@@ -39,7 +39,7 @@ kernel.grsecurity.disable_priv_io = 0
 #  In the suid/sgid case, the attempt is logged, the user has all their
 #  existing instances of the suid/sgid binary terminated and will
 #  be unable to execute any suid/sgid binaries for 15 minutes.
-#
+#  
 #  It is recommended that you also enable signal logging in the auditing
 #  section so that logs are generated when a process triggers a suspicious
 #  signal.
@@ -61,7 +61,7 @@ fs.file-max = 65535
 #  symlink is the owner of the directory. users will also not be
 #  able to hardlink to files they do not own.  If the sysctl option is
 #  enabled, a sysctl option with name "linking_restrictions" is created.
-kernel.grsecurity.linking_restrictions = 0
+kernel.grsecurity.linking_restrictions = 1
 
 
 #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
@@ -75,15 +75,15 @@ kernel.grsecurity.linking_restrictions = 0
 #  will be in place for the group you specify. If the sysctl option
 #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
 #  created.
-kernel.grsecurity.enforce_symlinksifowner = 0
-#kernel.grsecurity.symlinkown_gid = 33
+kernel.grsecurity.enforce_symlinksifowner = 1
+kernel.grsecurity.symlinkown_gid = 15
 
 #  if you say Y here, users will not be able to write to FIFOs they don't
 #  own in world-writable +t directories (e.g. /tmp), unless the owner of
 #  the FIFO is the same owner of the directory it's held in.  If the sysctl
 #  option is enabled, a sysctl option with name "fifo_restrictions" is
 #  created.
-kernel.grsecurity.fifo_restrictions = 0
+kernel.grsecurity.fifo_restrictions = 1
 
 #  If you say Y here, a sysctl option with name "romount_protect" will
 #  be created.  By setting this option to 1 at runtime, filesystems
@@ -99,7 +99,7 @@ kernel.grsecurity.fifo_restrictions = 0
 #  and GRKERNSEC_IO should be enabled and module loading disabled via
 #  config or at runtime.
 #  This feature is mainly intended for secure embedded systems.
-#kernel.grsecurity.romount_protect = 0
+#kernel.grsecurity.romount_protect = 1
 
 #  if you say Y here, the capabilities on all processes within a
 #  chroot jail will be lowered to stop module insertion, raw i/o,
@@ -122,8 +122,8 @@ kernel.grsecurity.chroot_deny_chmod = 1
 
 #  If you say Y here, processes inside a chroot will not be able to chroot
 #  again outside the chroot.  This is a widely used method of breaking
-#  out of a chroot jail and should not be allowed.  If the sysctl
-#  option is enabled, a sysctl option with name
+#  out of a chroot jail and should not be allowed.  If the sysctl 
+#  option is enabled, a sysctl option with name 
 #  "chroot_deny_chroot" is created.
 kernel.grsecurity.chroot_deny_chroot = 1
 
@@ -185,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1
 #  directory,  so  that `.' can be outside the tree rooted at
 #  `/'.  In particular, the  super-user  can  escape  from  a
 #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-#
+#  
 #  It is recommended that you say Y here, since it's not known to break
 #  any software.  If the sysctl option is enabled, a sysctl option with
 #  name "chroot_enforce_chdir" is created.
 kernel.grsecurity.chroot_enforce_chdir  = 1
 
 #  If you say Y here, processes inside a chroot will not be able to
-#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
+#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, 
 #  getsid, or view any process outside of the chroot.  If the sysctl
 #  option is enabled, a sysctl option with name "chroot_findtask" is
 #  created.
@@ -215,14 +215,14 @@ kernel.grsecurity.chroot_restrict_nice = 1
 #  watch certain users instead of having a large amount of logs from the
 #  entire system.  If the sysctl option is enabled, a sysctl option with
 #  name "audit_group" is created.
-kernel.grsecurity.audit_group = 0
+kernel.grsecurity.audit_group = 1
 
 #  If you say Y here, the exec and chdir logging features will only operate
 #  on a group you specify.  This option is recommended if you only want to
 #  watch certain users instead of having a large amount of logs from the
 #  entire system.  If the sysctl option is enabled, a sysctl option with
 #  name "audit_group" is created.
-#kernel.grsecurity.audit_gid = 201
+kernel.grsecurity.audit_gid = 99
 
 #  If you say Y here, all execve() calls will be logged (since the
 #  other exec*() calls are frontends to execve(), all execution
@@ -231,7 +231,7 @@ kernel.grsecurity.audit_group = 0
 #  name "exec_logging" is created.
 #  WARNING: This option when enabled will produce a LOT of logs, especially
 #  on an active system.
-kernel.grsecurity.exec_logging = 0
+kernel.grsecurity.exec_logging = 0				
 
 #  If you say Y here, all attempts to overstep resource limits will
 #  be logged with the resource name, the requested size, and the current
@@ -245,12 +245,12 @@ kernel.grsecurity.resource_logging = 1
 #  applications (eg. djb's daemontools) are installed on the system, and
 #  is therefore left as an option.  If the sysctl option is enabled, a
 #  sysctl option with name "chroot_execlog" is created.
-kernel.grsecurity.chroot_execlog = 0
+kernel.grsecurity.chroot_execlog = 0	
 
 #  If you say Y here, all attempts to attach to a process via ptrace
 #  will be logged.  If the sysctl option is enabled, a sysctl option
 #  with name "audit_ptrace" is created.
-kernel.grsecurity.audit_ptrace = 1
+#kernel.grsecurity.audit_ptrace = 1
 
 #  If you say Y here, all attempts to attach to a process via ptrace
 #  will be logged.  If the sysctl option is enabled, a sysctl option
@@ -273,7 +273,6 @@ kernel.grsecurity.signal_logging = 1
 #  This could suggest a fork bomb, or someone attempting to overstep
 #  their process limit.  If the sysctl option is enabled, a sysctl option
 #  with name "forkfail_logging" is created.
-#kernel.grsecurity.forkfail_logging = 1
 kernel.grsecurity.forkfail_logging = 1
 
 #  If you say Y here, any changes of the system clock will be logged.
@@ -285,7 +284,7 @@ kernel.grsecurity.timechange_logging = 1
 #  usage of PROT_WRITE and PROT_EXEC together will be logged when
 #  denied by the PAX_MPROTECT feature.  This feature will also
 #  log other problematic scenarios that can occur when PAX_MPROTECT
-#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
+#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the 
 #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
 #  is created.
 kernel.grsecurity.rwxmap_logging = 1
@@ -305,14 +304,14 @@ kernel.grsecurity.rwxmap_logging = 1
 kernel.grsecurity.dmesg = 1
 
 # Hide symbol addresses in /proc/kallsyms
-#kernel.kptr_restrict = 2
+kernel.kptr_restrict = 2
 
 #  If you say Y here, TTY sniffers and other malicious monitoring
 #  programs implemented through ptrace will be defeated.  If you
 #  have been using the RBAC system, this option has already been
 #  enabled for several years for all users, with the ability to make
 #  fine-grained exceptions.
-#
+#  
 #  This option only affects the ability of non-root users to ptrace
 #  processes that are not a descendent of the ptracing process.
 #  This means that strace ./binary and gdb ./binary will still work,
@@ -327,7 +326,7 @@ kernel.grsecurity.harden_ptrace = 1
 #  prevent infoleaking of their contents.  This option adds
 #  consistency to the use of that file mode, as the binary could normally
 #  be read out when run without privileges while ptracing.
-#
+#  
 #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
 #  is created.
 kernel.grsecurity.ptrace_readexec = 1
@@ -341,7 +340,7 @@ kernel.grsecurity.ptrace_readexec = 1
 #  same way, allowing the other threads of the process to continue
 #  running with root privileges.  If the sysctl option is enabled,
 #  a sysctl option with name "consistent_setxid" is created.
-kernel.grsecurity.consistent_setxid = 0
+kernel.grsecurity.consistent_setxid = 1
 
 #  If you say Y here, access to overly-permissive IPC objects (shared
 #  memory, message queues, and semaphores) will be denied for processes
@@ -359,7 +358,7 @@ kernel.grsecurity.consistent_setxid = 0
 #  CAP_IPC_OWNER are still permitted to access these IPC objects.
 #  If the sysctl option is enabled, a sysctl option with name
 #  "harden_ipc" is created.
-kernel.grsecurity.harden_ipc = 0
+kernel.grsecurity.harden_ipc = 1
 
 #  If you say Y here, you will be able to choose a gid to add to the
 #  supplementary groups of users you want to mark as "untrusted."
@@ -367,7 +366,7 @@ kernel.grsecurity.harden_ipc = 0
 #  root-owned directories writable only by root.  If the sysctl option
 #  is enabled, a sysctl option with name "tpe" is created.
 kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 4
+kernel.grsecurity.tpe_gid = 100
 
 #  If you say Y here, the group you specify in the TPE configuration will
 #  decide what group TPE restrictions will be *disabled* for.  This
@@ -499,11 +498,11 @@ net.ipv4.tcp_synack_retries = 3
 #  If you say Y here, neither TCP resets nor ICMP
 #  destination-unreachable packets will be sent in response to packets
 #  sent to ports for which no associated listening process exists.
-#  This feature supports both IPV4 and IPV6 and exempts the
-#  loopback interface from blackholing.  Enabling this feature
+#  This feature supports both IPV4 and IPV6 and exempts the 
+#  loopback interface from blackholing.  Enabling this feature 
 #  makes a host more resilient to DoS attacks and reduces network
 #  visibility against scanners.
-#
+#  
 #  The blackhole feature as-implemented is equivalent to the FreeBSD
 #  blackhole feature, as it prevents RST responses to all packets, not
 #  just SYNs.  Under most application behavior this causes no
@@ -516,7 +515,7 @@ net.ipv4.tcp_synack_retries = 3
 #  can spend in LAST_ACK state.  If you're using haproxy and not
 #  all servers it connects to have this option enabled, consider
 #  disabling this feature on the haproxy host.
-#
+#  
 #  If the sysctl option is enabled, two sysctl options with names
 #  "ip_blackhole" and "lastack_retries" will be created.
 #  While "ip_blackhole" takes the standard zero/non-zero on/off
@@ -531,13 +530,13 @@ kernel.grsecurity.lastack_retries = 4
 #  be unable to connect to other hosts from your machine or run server
 #  applications from your machine.  If the sysctl option is enabled, a
 #  sysctl option with name "socket_all" is created.
-kernel.grsecurity.socket_all = 0
+kernel.grsecurity.socket_all = 1
 
 #  Here you can choose the GID to disable socket access for. Remember to
 #  add the users you want socket access disabled for to the GID
 #  specified here.  If the sysctl option is enabled, a sysctl option
 #  with name "socket_all_gid" is created.
-#kernel.grsecurity.socket_all_gid = 202
+kernel.grsecurity.socket_all_gid = 200
 
 #  If you say Y here, you will be able to choose a GID of whose users will
 #  be unable to connect to other hosts from your machine, but will be
@@ -577,7 +576,7 @@ kernel.grsecurity.socket_server_gid = 99
 #  device insertion will be logged.  This option is intended to be
 #  used against custom USB devices designed to exploit vulnerabilities
 #  in various USB device drivers.
-#
+#  
 #  For greatest effectiveness, this sysctl should be set after any
 #  relevant init scripts.  This option is safe to enable in distros
 #  as each user can choose whether or not to toggle the sysctl.
diff --git a/core/configure.html b/core/configure.html
index 1ca655f..b6b3fb5 100644
--- a/core/configure.html
+++ b/core/configure.html
@@ -185,7 +185,8 @@
 	
    
 
         
    -        # useradd -m -k /etc/skel -s /bin/bash -U -G adm,wheel,audio,video,users c9admin
+        # useradd -k /etc/skel -s /bin/bash c9admin
+        # usermod -G adm,wheel,audio,video
         # passwd c9admin
         
    
 
@@ -196,10 +197,6 @@
 
         
    1.2.4.3 Add Administrator to Wheel group
    
 
-        
    -        # usermod -a -G wheel c9admin
-        
    
-
         
             bash-4.3# sudoedit /etc/sudoers
         
    
diff --git a/core/grsecurity.html b/core/grsecurity.html
index adfd292..30ee28c 100644
--- a/core/grsecurity.html
+++ b/core/grsecurity.html
@@ -2,31 +2,248 @@
 
     
         
-        Grsecurity
+        2.2.1. Grsecurity
     
     
 
         Core OS Index
 
-        
    Grsecurity
    
+        
    2.2.1. Grsecurity
    
 
-        
    Grsecurity utilities are installed and configured in
-        hardening, kernel witch grsecurity
-        patch is installed using 
-        linux port.
    
+        
    Install grsecurity utilities, kernel
+        configuration is based on
+        port kernel, for manual
+        configuration check linux kernel. Configuration
+        is not enable by default, groups with special permissions and other
+        protections are set with sysctl.html;
    
 
+        
    
+
+        
    proc
    
+        
    GID 4 - adm group
    
+        
    If you say Y here, you will be able to select a group that will be
+        able to view all processes and network-related information.
+        GRKERNSEC_HIDESYM is enabled, kernel and symbol information may still
+        remain hidden.
    
+
+        
    symlinks owner match
    
+        
    GID 15 - www group
    
+        
    Kernel-enforced SymlinksIfOwnerMatch group.
    
+
+        
    group for auditing
    
+        
    GID 99 - nobody group
    
+        
    This option is recommended if you only want to watch certain
+        users exec and chdir logging features instead of having a large
+        amount of logs from the entire system
    
+
+        
    tpe
    
+        
    GID 100 - users
    
+        
    Supplementary groups of users you want to mark as "untrusted".
+        Invert gid option causes to not apply tpe protection to this group,
+        allowing to build software with partially restrict all non-root users
+        enable.
    
+
+        
    socket all
    
+        
    GID 200 - non existent
    
+        
    Deny sockets to this group.
    
+
+        
    socket client
    
+        
    GID 15 - www group
    
+        
    Deny client sockets to this group.
    
+
+        
    socket server
    
+        
    GID 99 - nobody group
    
+        
    Deny server sockets to this group.
    
+
+        
    
+
+        
    Kernel configuration related to grsecurity;
    
 
-        
    Special Groups
    
         
    -        getent group tpe >/dev/null || groupadd -g 200 tpe
-        getent group audit >/dev/null || groupadd -g 201 audit
-        getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
-        getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
-        getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
+        #
+        # Grsecurity
+        #
+        CONFIG_PAX_PER_CPU_PGD=y
+        CONFIG_TASK_SIZE_MAX_SHIFT=42
+        CONFIG_GRKERNSEC=y
+        # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
+        CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
+        CONFIG_GRKERNSEC_PROC_GID=4
+        CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100
+        CONFIG_GRKERNSEC_SYMLINKOWN_GID=15
+
+        #
+        # PaX
+        #
+        CONFIG_PAX=y
+
+        #
+        # PaX Control
+        #
+        # CONFIG_PAX_SOFTMODE is not set
+        # CONFIG_PAX_EI_PAX is not set
+        CONFIG_PAX_PT_PAX_FLAGS=y
+        CONFIG_PAX_XATTR_PAX_FLAGS=y
+        # CONFIG_PAX_NO_ACL_FLAGS is not set
+        CONFIG_PAX_HAVE_ACL_FLAGS=y
+        # CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+        #
+        # Non-executable pages
+        #
+        CONFIG_PAX_NOEXEC=y
+        CONFIG_PAX_PAGEEXEC=y
+        CONFIG_PAX_EMUTRAMP=y
+        CONFIG_PAX_MPROTECT=y
+        # CONFIG_PAX_MPROTECT_COMPAT is not set
+        # CONFIG_PAX_ELFRELOCS is not set
+        CONFIG_PAX_KERNEXEC=y
+        CONFIG_PAX_KERNEXEC_PLUGIN=y
+        # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
+        CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
+
+        #
+        # Address Space Layout Randomization
+        #
+        CONFIG_PAX_ASLR=y
+        CONFIG_PAX_RANDKSTACK=y
+        CONFIG_PAX_RANDUSTACK=y
+        CONFIG_PAX_RANDMMAP=y
+
+        #
+        # Miscellaneous hardening features
+        #
+        CONFIG_PAX_MEMORY_SANITIZE=y
+        CONFIG_PAX_MEMORY_STACKLEAK=y
+        CONFIG_PAX_MEMORY_STRUCTLEAK=y
+        CONFIG_PAX_MEMORY_UDEREF=y
+        CONFIG_PAX_REFCOUNT=y
+        CONFIG_PAX_USERCOPY=y
+        CONFIG_PAX_CONSTIFY_PLUGIN=y
+        # CONFIG_PAX_USERCOPY_DEBUG is not set
+        CONFIG_PAX_SIZE_OVERFLOW=y
+        CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y
+        # CONFIG_PAX_INITIFY is not set
+        CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y
+        CONFIG_PAX_LATENT_ENTROPY=y
+        CONFIG_PAX_RAP=y
+
+        #
+        # Memory Protections
+        #
+        CONFIG_GRKERNSEC_KMEM=y
+        CONFIG_GRKERNSEC_IO=y
+        CONFIG_GRKERNSEC_BPF_HARDEN=y
+        CONFIG_GRKERNSEC_PERF_HARDEN=y
+        CONFIG_GRKERNSEC_RAND_THREADSTACK=y
+        CONFIG_GRKERNSEC_PROC_MEMMAP=y
+        CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
+        CONFIG_GRKERNSEC_BRUTE=y
+        CONFIG_GRKERNSEC_MODHARDEN=y
+        CONFIG_GRKERNSEC_HIDESYM=y
+        CONFIG_GRKERNSEC_RANDSTRUCT=y
+        CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
+        CONFIG_GRKERNSEC_KERN_LOCKOUT=y
+
+        #
+        # Role Based Access Control Options
+        #
+        # CONFIG_GRKERNSEC_NO_RBAC is not set
+        CONFIG_GRKERNSEC_ACL_HIDEKERN=y
+        CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+        CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+        #
+        # Filesystem Protections
+        #
+        CONFIG_GRKERNSEC_PROC=y
+        # CONFIG_GRKERNSEC_PROC_USER is not set
+        CONFIG_GRKERNSEC_PROC_USERGROUP=y
+        CONFIG_GRKERNSEC_PROC_ADD=y
+        CONFIG_GRKERNSEC_LINK=y
+        CONFIG_GRKERNSEC_SYMLINKOWN=y
+        CONFIG_GRKERNSEC_FIFO=y
+        # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
+        CONFIG_GRKERNSEC_ROFS=y
+        CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
+        CONFIG_GRKERNSEC_CHROOT=y
+        CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+        CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+        CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+        CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+        CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+        CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+        CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+        CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+        CONFIG_GRKERNSEC_CHROOT_UNIX=y
+        CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+        CONFIG_GRKERNSEC_CHROOT_NICE=y
+        CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+        CONFIG_GRKERNSEC_CHROOT_RENAME=y
+        CONFIG_GRKERNSEC_CHROOT_CAPS=y
+        CONFIG_GRKERNSEC_CHROOT_INITRD=y
+
+        #
+        # Kernel Auditing
+        #
+        CONFIG_GRKERNSEC_AUDIT_GROUP=y
+        CONFIG_GRKERNSEC_AUDIT_GID=99
+        CONFIG_GRKERNSEC_EXECLOG=y
+        CONFIG_GRKERNSEC_RESLOG=y
+        CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+        CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+        CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+        CONFIG_GRKERNSEC_AUDIT_MOUNT=y
+        CONFIG_GRKERNSEC_SIGNAL=y
+        CONFIG_GRKERNSEC_FORKFAIL=y
+        CONFIG_GRKERNSEC_TIME=y
+        CONFIG_GRKERNSEC_PROC_IPADDR=y
+        CONFIG_GRKERNSEC_RWXMAP_LOG=y
+
+        #
+        # Executable Protections
+        #
+        CONFIG_GRKERNSEC_DMESG=y
+        CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+        CONFIG_GRKERNSEC_PTRACE_READEXEC=y
+        CONFIG_GRKERNSEC_SETXID=y
+        CONFIG_GRKERNSEC_HARDEN_IPC=y
+        CONFIG_GRKERNSEC_HARDEN_TTY=y
+        CONFIG_GRKERNSEC_TPE=y
+        CONFIG_GRKERNSEC_TPE_ALL=y
+        CONFIG_GRKERNSEC_TPE_INVERT=y
+        CONFIG_GRKERNSEC_TPE_GID=100
+
+        #
+        # Network Protections
+        #
+        CONFIG_GRKERNSEC_BLACKHOLE=y
+        CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
+        CONFIG_GRKERNSEC_SOCKET=y
+        CONFIG_GRKERNSEC_SOCKET_ALL=y
+        CONFIG_GRKERNSEC_SOCKET_ALL_GID=200
+        CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+        CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15
+        CONFIG_GRKERNSEC_SOCKET_SERVER=y
+        CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99
+
+        #
+        # Physical Protections
+        #
+        CONFIG_GRKERNSEC_DENYUSB=y
+        # CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+
+        #
+        # Sysctl Support
+        #
+        CONFIG_GRKERNSEC_SYSCTL=y
+        CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
+        # CONFIG_GRKERNSEC_SYSCTL_ON is not set
+
         
    
 
-        
    Pax
    
-        
+        
    Pax
    
+
         
    Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.
    
 
         /usr/bin/grub-script-check
@@ -36,7 +253,7 @@
         
    Gradm
    
 
         
    Gradm is grsecurity access control lists administration utility. Gradm
-        have a 
+        have a
         learning mode
         per-subject, per-role or system-wide. Learning mode gather information that
         RBAC system supports, it reduces policy size, increase readability and enforces
diff --git a/core/hardening.html b/core/hardening.html
index 024c4c9..91cd8e9 100644
--- a/core/hardening.html
+++ b/core/hardening.html
@@ -11,19 +11,20 @@
         
    2.2. Hardening
    
 
         
    Kernel in ports have upstream linux kernel and
-        grsecurity patch, it should break some functionality
-        for the user and pkgmk user if tpe protection is active.
    
+        grsecurity patch, it should break building some packages,
+        install follow tools;
    
 
         
             $ sudo prt-get depinst gradm paxtest paxctld checksec lynis
         
    
 
-        
    Check grsecurity on how to setup
-        kernel, pax and gradm.
    
+        
    Information about grsecurity kernel
+        configuration, pax and
+        gradm.
    
 
-        
    Lynis tries to give system overall configuration, without
-        changing default profile run irrelevant tests. Create a lynis
-        profile by coping default one and run lynis;
    
+        
    Lynis gives a view of system overall configuration, without changing
+        default profile it runs irrelevant tests. Create a lynis profile by
+        coping default one and run lynis;
    
 
         
             $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
diff --git a/core/index.html b/core/index.html
index 8274630..485bf65 100644
--- a/core/index.html
+++ b/core/index.html
@@ -60,7 +60,7 @@
 
             
  • 1.4. Prepare for reboot
                 
@@ -81,9 +81,9 @@
             
    • 
             
  • 2.2. Hardening
                 
             
    • 
@@ -116,7 +116,7 @@
             
             
  • 2.6. Exim
                 
      
-                    
    • 2.6.1. Exim Configuration
      • 
+                    
    • 2.6.1. Exim configuration
      • 
                     
    • 2.6.2. Certificates
      • 
                     
    • 2.6.3. Aliases
      • 
                     
    • 2.6.4. Smarthost
      • 
diff --git a/core/linux.html b/core/linux.html
index 5138676..c52f9b8 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -17,9 +17,9 @@
 
         
      2.1.1. Port Linux Libre
      
 
-        
      Default crux configuration can be obtained from iso, this port depends
-        on dracut and grub but is not required to install them. To build and install
-        this port using prt-get;
      
+        
      Default crux configuration can be obtained from iso,
+        kernel port depends on dracut and grub but is not required
+        to install them. To build and install this port using prt-get;
      
 
         
               $ prt-get depinst linux-libre
@@ -31,26 +31,67 @@
         linux libre,
         or using the port system;
      
 
-        
      Crux iso comes with config that is more generic than used on linux-libre
-        port, crux default is a good starting point to personalize according to your
-        needs (build default, detect modules needed);
      
+        
      Crux iso comes with config that is more generic than used on
+        linux-libre port, crux default is a good starting point to
+        personalize according to your needs (build default, detect modules
+        needed);
      
 
         
               $ mkdir ~/kernel
         $ cd ~/kernel
-        $ cp /usr/ports/distfiles/linux-libre-4.9.11-gnu.tar.xz .
-        $ tar xf linux-libre-4.9.11-gnu.tar.xz
-        $ cd linux-4.9.11/
+        $ tar xf /usr/ports/distfiles/linux-libre-4.9.12-grsec.tar.xz
+        $ cd linux-4.9.12/
         
      
 
-        
      Grsecurity patch for
-        4.9.11.
+        
      Grsecurity patch for
+        4.9.12.
         Gcc graysky2 kernel_gcc_patch (master.zip)
         that adds more cpu options (FLAGS native).
-        Check Pkgfile for instructions and
-        more patches used on linux-libre port. Read patching your kernel with
+        Check Pkgfile
+        for instructions and more patches used on linux-libre port.
+        Read patching your kernel with
         gresecurity.
      
 
+        
      Apply grsecurity patch;
      
+
+        
      +        $ patch -p1 < ../grsecurity-3.1-4.9.12-201702231830.patch
+        
      
+
+        
      Set correct version;
      
+
+        
      +        $ rm localversion-grsec
+        
      
+
+        
      Edit Makefile and replace EXTRAVERSION;
      
+
+        
      +        VERSION = 4
+        PATCHLEVEL = 9
+        SUBLEVEL = 12
+        EXTRAVERSION = -grsec
+        NAME = Roaring Lionus
+        
      
+
+        
      Change cpu optimization patch;
      
+
+        
      +        depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
+        
      
+
+        
      to;
      
+
+        
      +        depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
+        
      
+
+        
      Apply additional cpu optimizations patch;
      
+
+        
      +        $ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
+        
      
+
         
      Configure kernel according to your current kernel
         hardware support;
      
 
@@ -58,10 +99,7 @@
         $ make localmodconfig
         
      
 
-        
      This will disable all unloaded modules,
-        you can use localyesconfig mark all loaded
-        to be built in the kernel. To get information
-        about your hardware, for example information
+        
      Get information about your hardware, for example information
         about which graphic module (driver) is in use
         as root run;
      
 
@@ -76,17 +114,165 @@
         $ make nconfig
         
    • 
 
+        
    Make targets;
    
+
         
    -        $ make -j $(nproc) bzImage modules
-        $ sudo make modules_install
-        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.11-gnu
-        $ sudo cp System.map /boot/System.map-4.9.11-gnu
+        $ make help
+        Cleaning targets:
+          clean           - Remove most generated files but keep the config and
+                            enough build support to build external modules
+          mrproper        - Remove all generated files + config + various backup files
+          distclean       - mrproper + remove editor backup and patch files
+
+        Configuration targets:
+          config          - Update current config utilising a line-oriented program
+          nconfig         - Update current config utilising a ncurses menu based
+                            program
+          menuconfig      - Update current config utilising a menu based program
+          xconfig         - Update current config utilising a Qt based front-end
+          gconfig         - Update current config utilising a GTK+ based front-end
+          oldconfig       - Update current config utilising a provided .config as base
+          localmodconfig  - Update current config disabling modules not loaded
+          localyesconfig  - Update current config converting local mods to core
+          silentoldconfig - Same as oldconfig, but quietly, additionally update deps
+          defconfig       - New config with default from ARCH supplied defconfig
+          savedefconfig   - Save current config as ./defconfig (minimal config)
+          allnoconfig     - New config where all options are answered with no
+          allyesconfig    - New config where all options are accepted with yes
+          allmodconfig    - New config selecting modules when possible
+          alldefconfig    - New config with all symbols set to default
+          randconfig      - New config with random answer to all options
+          listnewconfig   - List new options
+          olddefconfig    - Same as silentoldconfig but sets new symbols to their
+                            default value
+          kvmconfig       - Enable additional options for kvm guest kernel support
+          xenconfig       - Enable additional options for xen dom0 and guest kernel support
+          tinyconfig      - Configure the tiniest possible kernel
+
+        Other generic targets:
+          all             - Build all targets marked with [*]
+        * vmlinux         - Build the bare kernel
+        * modules         - Build all modules
+          modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
+          firmware_install- Install all firmware to INSTALL_FW_PATH
+                            (default: $(INSTALL_MOD_PATH)/lib/firmware)
+          dir/            - Build all files in dir and below
+          dir/file.[ois]  - Build specified target only
+          dir/file.lst    - Build specified mixed source/assembly target only
+                            (requires a recent binutils and recent build (System.map))
+          dir/file.ko     - Build module including final link
+          modules_prepare - Set up for building external modules
+          tags/TAGS       - Generate tags file for editors
+          cscope          - Generate cscope index
+          gtags           - Generate GNU GLOBAL index
+          kernelrelease   - Output the release version string (use with make -s)
+          kernelversion   - Output the version stored in Makefile (use with make -s)
+          image_name      - Output the image name (use with make -s)
+          headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
+                            (default: ./usr)
+
+        Static analysers
+          checkstack      - Generate a list of stack hogs
+          namespacecheck  - Name space analysis on compiled kernel
+          versioncheck    - Sanity check on version.h usage
+          includecheck    - Check for duplicate included header files
+          export_report   - List the usages of all exported symbols
+          headers_check   - Sanity check on exported headers
+          headerdep       - Detect inclusion cycles in headers
+          coccicheck      - Check with Coccinelle.
+
+        Kernel selftest
+          kselftest       - Build and run kernel selftest (run as root)
+                            Build, install, and boot kernel before
+                            running kselftest on it
+          kselftest-clean - Remove all generated kselftest files
+          kselftest-merge - Merge all the config dependencies of kselftest to existed
+                            .config.
+
+        Kernel packaging:
+          rpm-pkg             - Build both source and binary RPM kernel packages
+          binrpm-pkg          - Build only the binary kernel RPM package
+          deb-pkg             - Build both source and binary deb kernel packages
+          bindeb-pkg          - Build only the binary kernel deb package
+          tar-pkg             - Build the kernel as an uncompressed tarball
+          targz-pkg           - Build the kernel as a gzip compressed tarball
+          tarbz2-pkg          - Build the kernel as a bzip2 compressed tarball
+          tarxz-pkg           - Build the kernel as a xz compressed tarball
+          perf-tar-src-pkg    - Build perf-4.9.9-gnu.tar source tarball
+          perf-targz-src-pkg  - Build perf-4.9.9-gnu.tar.gz source tarball
+          perf-tarbz2-src-pkg - Build perf-4.9.9-gnu.tar.bz2 source tarball
+          perf-tarxz-src-pkg  - Build perf-4.9.9-gnu.tar.xz source tarball
+
+        Documentation targets:
+         Linux kernel internal documentation in different formats (Sphinx):
+          htmldocs        - HTML
+          latexdocs       - LaTeX
+          pdfdocs         - PDF
+          epubdocs        - EPUB
+          xmldocs         - XML
+          cleandocs       - clean all generated files
+
+          make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2
+          valid values for SPHINXDIRS are: development-process media gpu 80211
+
+          make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build
+          configuration. This is e.g. useful to build with nit-picking config.
+
+         Linux kernel internal documentation in different formats (DocBook):
+          htmldocs        - HTML
+          pdfdocs         - PDF
+          psdocs          - Postscript
+          xmldocs         - XML DocBook
+          mandocs         - man pages
+          installmandocs  - install man pages generated by mandocs
+          cleandocs       - clean all generated DocBook files
+
+          make DOCBOOKS="s1.xml s2.xml" [target] Generate only docs s1.xml s2.xml
+          valid values for DOCBOOKS are: z8530book.xml kernel-hacking.xml kernel-locking.xml deviceiobook.xml writing_usb_driver.xml networking.xml kernel-api.xml filesystems.xml lsm.xml usb.xml kgdb.xml gadget.xml libata.xml mtdnand.xml librs.xml rapidio.xml genericirq.xml s390-drivers.xml uio-howto.xml scsi.xml debugobjects.xml sh.xml regulator.xml alsa-driver-api.xml writing-an-alsa-driver.xml tracepoint.xml w1.xml writing_musb_glue_layer.xml crypto-API.xml iio.xml
+
+          make DOCBOOKS="" [target] Don't generate docs from Docbook
+             This is useful to generate only the ReST docs (Sphinx)
+
+        Architecture specific targets (x86):
+        * bzImage      - Compressed kernel image (arch/x86/boot/bzImage)
+          install      - Install kernel using
+                          (your) ~/bin/installkernel or
+                          (distribution) /sbin/installkernel or
+                          install to $(INSTALL_PATH) and run lilo
+          fdimage      - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
+          fdimage144   - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
+          fdimage288   - Create 2.8MB boot floppy image (arch/x86/boot/fdimage)
+          isoimage     - Create a boot CD-ROM image (arch/x86/boot/image.iso)
+                          bzdisk/fdimage*/isoimage also accept:
+                          FDARGS="..."  arguments for the booted kernel
+                          FDINITRD=file initrd for the booted kernel
+
+          i386_defconfig           - Build for i386
+          x86_64_defconfig         - Build for x86_64
+
+          make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
+          make V=2   [targets] 2 => give reason for rebuild of target
+          make O=dir [targets] Locate all output files in "dir", including .config
+          make C=1   [targets] Check all c source with $CHECK (sparse by default)
+          make C=2   [targets] Force check of all c source with $CHECK
+          make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
+          make W=n   [targets] Enable extra gcc checks, n=1,2,3 where
+                        1: warnings which may be relevant and do not occur too often
+                        2: warnings which occur quite often but may still be relevant
+                        3: more obscure warnings, can most likely be ignored
+                        Multiple levels can be combined with W=12 or W=123
+
+        Execute "make" or "make all" to build all targets marked with [*]
+        For further info see the ./README file
+        $
         
    
 
-        
    Create dracut initramfs;
    
 
         
    -        $sudo dracut --fstab /boot/initramfs-4.9.11-gnu.img 4.9.11-gnu
+        $ make -j $(nproc) bzImage modules
+        $ sudo make modules_install
+        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.12-grsec
+        $ sudo cp System.map /boot/System.map-4.9.12-grsec
         
    
 
         
    Update grub;
    
@@ -98,9 +284,9 @@
         
    2.1.3. Manual Remove
    
 
         
    -        $ sudo rm -r /lib/modules/4.9.11-gnu
-        $ sudo rm /boot/vmlinuz-4.9.11-gnu
-        $ sudo rm /boot/System.map-4.9.11-gnu
+        $ sudo rm -r /lib/modules/4.9.12-grsec
+        $ sudo rm /boot/vmlinuz-4.9.12-grsec
+        $ sudo rm /boot/System.map-4.9.12-grsec
         
    
 
         
    2.1.4. Dracut
    
diff --git a/core/ports/linux-blob/.footprint b/core/ports/linux-blob/.footprint
index 02c767e..62181ac 100644
--- a/core/ports/linux-blob/.footprint
+++ b/core/ports/linux-blob/.footprint
@@ -1,56 +1,49 @@
 drwxr-xr-x	root/root	boot/
--rw-r--r--	root/root	boot/System.map-4.9.11-blob
--rw-r--r--	root/root	boot/config-4.9.11-blob
--rw-r--r--	root/root	boot/vmlinuz-4.9.11-blob
+-rw-r--r--	root/root	boot/System.map-4.9.12-blob
+-rw-r--r--	root/root	boot/config-4.9.12-blob
+-rw-r--r--	root/root	boot/vmlinuz-4.9.12-blob
 drwxr-xr-x	root/root	lib/
 drwxr-xr-x	root/root	lib/modules/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/
-lrwxrwxrwx	root/root	lib/modules/4.9.11-blob/build -> /usr/src/linux-4.9.11
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera.ko
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/gspca_main.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/uvcvideo.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf-core.ko
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-core.ko
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-memops.ko
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/fs/
-drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/fs/ntfs/
--rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/fs/ntfs/ntfs.ko
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.alias
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.alias.bin
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.builtin
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.builtin.bin
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.dep
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.dep.bin
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.devname (EMPTY)
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.order
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.softdep
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.symbols
--rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.symbols.bin
-lrwxrwxrwx	root/root	lib/modules/4.9.11-blob/source -> /usr/src/linux-4.9.11
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/
+lrwxrwxrwx	root/root	lib/modules/4.9.12-blob/build -> /usr/src/linux-4.9.12
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/drivers/
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/platform/
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/soc_camera.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/usb/
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/usb/gspca/
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/usb/gspca/gspca_main.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/usb/uvc/
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/usb/uvc/uvcvideo.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf-core.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-core.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-memops.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/drivers/vhost/
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/drivers/vhost/vhost_scsi.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/fs/
+drwxr-xr-x	root/root	lib/modules/4.9.12-blob/kernel/fs/ntfs/
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/kernel/fs/ntfs/ntfs.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.alias
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.alias.bin
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.builtin
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.builtin.bin
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.dep (EMPTY)
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.dep.bin
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.devname (EMPTY)
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.order
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.softdep
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.symbols
+-rw-r--r--	root/root	lib/modules/4.9.12-blob/modules.symbols.bin
+lrwxrwxrwx	root/root	lib/modules/4.9.12-blob/source -> /usr/src/linux-4.9.12
 drwxr-xr-x	root/root	usr/
 drwxr-xr-x	root/root	usr/src/
--rw-r--r--	root/root	usr/src/4.9.11-blob-config
--rw-r--r--	root/root	usr/src/4.9.11-cpu_optimizations.patch
--rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.11-201702181444.patch
+-rw-r--r--	root/root	usr/src/4.9.12-blob-config
+-rw-r--r--	root/root	usr/src/4.9.12-cpu_optimizations.patch
+-rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.12-201702231830.patch
diff --git a/core/ports/linux-blob/.md5sum b/core/ports/linux-blob/.md5sum
index 8516def..2b23da8 100644
--- a/core/ports/linux-blob/.md5sum
+++ b/core/ports/linux-blob/.md5sum
@@ -1,7 +1,7 @@
-dc71c8f55df123437c468dad7be88757  config-c9
+4cfe0909ea898be7ccc712ab162be13d  config-c9
 00bc0d70f200c2673fe7dd6f02053fa4  enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
-e4eb7eab3a40968c3bd4a0a19339a6a1  grsecurity-3.1-4.9.11-201702181444.patch
-98761ce71c603199fe6fcce600c60772  linux-4.9.11.tar.xz
+83b031b26dc0aeb3ccf8c45785253225  grsecurity-3.1-4.9.12-201702231830.patch
+073dfb3a13bf5836ef2d66e24ccf2ceb  linux-4.9.12.tar.xz
 bcf38b0fbf7bd83323f3202ec082b15a  port-blob-cpu.patch
-48908f447c73e31c2428cb68b00d1e9c  port-blob-grsecurity.patch
-4a443bf320ede9f5cb183843e85b3b62  port-blob-make.patch
+e22c8ae9bf05e1e85f5e6e6827cef368  port-blob-grsecurity.patch
+33a67ae0d1cc89895a91ff95e3565b5e  port-blob-make.patch
diff --git a/core/ports/linux-blob/Pkgfile b/core/ports/linux-blob/Pkgfile
index b312361..d9767b1 100644
--- a/core/ports/linux-blob/Pkgfile
+++ b/core/ports/linux-blob/Pkgfile
@@ -4,11 +4,11 @@
 # Depends on:   grub2 dracut
 
 name=linux-blob
-version=4.9.11
-release=3
+version=4.9.12
+release=2
 source=(https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-$version.tar.xz \
     https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \
-    http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \
+    http://grsecurity.net/test/grsecurity-3.1-4.9.12-201702231830.patch \
     port-blob-grsecurity.patch \
     port-blob-make.patch \
     port-blob-cpu.patch \
@@ -22,26 +22,31 @@ build() {
     install -m 0644  $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch
 
     # /usr/src/grsecurity-version.patch
-    install -m 0644  $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/
+    install -m 0644  $SRC/grsecurity-3.1-4.9.12-201702231830.patch $PKG/usr/src/
 
     patch < port-blob-grsecurity.patch
     patch < port-blob-cpu.patch
 
+    # fix to build under tpe
+    chmod -R go-w linux-$version
+
     cd linux-$version
 
     patch < ${SRC}/port-blob-make.patch
 
     make distclean
 
-    patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch
+    patch -p1 < $SRC/grsecurity-3.1-4.9.12-201702231830.patch
     patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
 
     cp $SRC/config-c9 .config
 
     make silentoldconfig
-    make nconfig
+    # make nconfig
     # make localmodconfig
 
+    make prepare
+
     install -m 0644  .config $PKG/usr/src/${version}-blob-config
 
     make LOCALVERSION= bzImage modules
diff --git a/core/ports/linux-blob/config-c9 b/core/ports/linux-blob/config-c9
index 2b0bb4b..0bd5108 100644
--- a/core/ports/linux-blob/config-c9
+++ b/core/ports/linux-blob/config-c9
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.11-blob Kernel Configuration
+# Linux/x86 4.9.12-blob Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -62,10 +62,10 @@ CONFIG_HAVE_KERNEL_LZMA=y
 CONFIG_HAVE_KERNEL_XZ=y
 CONFIG_HAVE_KERNEL_LZO=y
 CONFIG_HAVE_KERNEL_LZ4=y
-# CONFIG_KERNEL_GZIP is not set
+CONFIG_KERNEL_GZIP=y
 # CONFIG_KERNEL_BZIP2 is not set
 # CONFIG_KERNEL_LZMA is not set
-CONFIG_KERNEL_XZ=y
+# CONFIG_KERNEL_XZ is not set
 # CONFIG_KERNEL_LZO is not set
 # CONFIG_KERNEL_LZ4 is not set
 CONFIG_DEFAULT_HOSTNAME="(none)"
@@ -76,11 +76,8 @@ CONFIG_POSIX_MQUEUE=y
 CONFIG_POSIX_MQUEUE_SYSCTL=y
 CONFIG_CROSS_MEMORY_ATTACH=y
 CONFIG_FHANDLE=y
-CONFIG_AUDIT=y
+# CONFIG_AUDIT is not set
 CONFIG_HAVE_ARCH_AUDITSYSCALL=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT_WATCH=y
-CONFIG_AUDIT_TREE=y
 
 #
 # IRQ subsystem
@@ -119,12 +116,13 @@ CONFIG_HIGH_RES_TIMERS=y
 #
 CONFIG_TICK_CPU_ACCOUNTING=y
 # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
-CONFIG_IRQ_TIME_ACCOUNTING=y
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
 CONFIG_BSD_PROCESS_ACCT=y
 CONFIG_BSD_PROCESS_ACCT_V3=y
 CONFIG_TASKSTATS=y
 CONFIG_TASK_DELAY_ACCT=y
-# CONFIG_TASK_XACCT is not set
+CONFIG_TASK_XACCT=y
+CONFIG_TASK_IO_ACCOUNTING=y
 
 #
 # RCU Subsystem
@@ -138,7 +136,7 @@ CONFIG_RCU_STALL_COMMON=y
 CONFIG_BUILD_BIN2C=y
 CONFIG_IKCONFIG=y
 CONFIG_IKCONFIG_PROC=y
-CONFIG_LOG_BUF_SHIFT=18
+CONFIG_LOG_BUF_SHIFT=19
 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
 CONFIG_NMI_LOG_BUF_SHIFT=13
 CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
@@ -149,14 +147,15 @@ CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y
 CONFIG_CGROUPS=y
 CONFIG_PAGE_COUNTER=y
 CONFIG_MEMCG=y
-# CONFIG_MEMCG_SWAP is not set
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
 CONFIG_BLK_CGROUP=y
-# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_DEBUG_BLK_CGROUP=y
 CONFIG_CGROUP_WRITEBACK=y
 CONFIG_CGROUP_SCHED=y
 CONFIG_FAIR_GROUP_SCHED=y
-# CONFIG_CFS_BANDWIDTH is not set
-# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_RT_GROUP_SCHED=y
 CONFIG_CGROUP_PIDS=y
 # CONFIG_CGROUP_FREEZER is not set
 CONFIG_CPUSETS=y
@@ -211,7 +210,7 @@ CONFIG_EPOLL=y
 CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
-# CONFIG_BPF_SYSCALL is not set
+CONFIG_BPF_SYSCALL=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
@@ -234,11 +233,13 @@ CONFIG_SLUB=y
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLUB_CPU_PARTIAL=y
 CONFIG_SYSTEM_DATA_VERIFICATION=y
-# CONFIG_PROFILING is not set
+CONFIG_PROFILING=y
+# CONFIG_OPROFILE is not set
 CONFIG_HAVE_OPROFILE=y
 CONFIG_OPROFILE_NMI_TIMER=y
 CONFIG_KPROBES=y
-# CONFIG_JUMP_LABEL is not set
+CONFIG_JUMP_LABEL=y
+# CONFIG_STATIC_KEYS_SELFTEST is not set
 CONFIG_OPTPROBES=y
 # CONFIG_UPROBES is not set
 # CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
@@ -279,8 +280,8 @@ CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
 CONFIG_HAVE_CC_STACKPROTECTOR=y
 CONFIG_CC_STACKPROTECTOR=y
 # CONFIG_CC_STACKPROTECTOR_NONE is not set
-CONFIG_CC_STACKPROTECTOR_REGULAR=y
-# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
+CONFIG_CC_STACKPROTECTOR_STRONG=y
 CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
 CONFIG_HAVE_CONTEXT_TRACKING=y
 CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
@@ -299,7 +300,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
 CONFIG_HAVE_COPY_THREAD_TLS=y
 CONFIG_HAVE_STACK_VALIDATION=y
 # CONFIG_HAVE_ARCH_HASH is not set
-# CONFIG_ISA_BUS_API is not set
+CONFIG_ISA_BUS_API=y
 CONFIG_OLD_SIGSUSPEND3=y
 CONFIG_COMPAT_OLD_SIGACTION=y
 # CONFIG_CPU_NO_EFFICIENT_FFS is not set
@@ -328,14 +329,16 @@ CONFIG_MODULE_SIG_SHA256=y
 # CONFIG_MODULE_SIG_SHA384 is not set
 # CONFIG_MODULE_SIG_SHA512 is not set
 CONFIG_MODULE_SIG_HASH="sha256"
-# CONFIG_MODULE_COMPRESS is not set
+CONFIG_MODULE_COMPRESS=y
+CONFIG_MODULE_COMPRESS_GZIP=y
+# CONFIG_MODULE_COMPRESS_XZ is not set
 CONFIG_TRIM_UNUSED_KSYMS=y
 CONFIG_MODULES_TREE_LOOKUP=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
 CONFIG_BLK_DEV_BSGLIB=y
 CONFIG_BLK_DEV_INTEGRITY=y
-# CONFIG_BLK_DEV_THROTTLING is not set
+CONFIG_BLK_DEV_THROTTLING=y
 # CONFIG_BLK_CMDLINE_PARSER is not set
 
 #
@@ -399,6 +402,7 @@ CONFIG_ZONE_DMA=y
 CONFIG_SMP=y
 CONFIG_X86_FEATURE_NAMES=y
 CONFIG_X86_FAST_FEATURE_TESTS=y
+CONFIG_X86_X2APIC=y
 CONFIG_X86_MPPARSE=y
 # CONFIG_GOLDFISH is not set
 # CONFIG_X86_EXTENDED_PLATFORM is not set
@@ -407,6 +411,14 @@ CONFIG_X86_INTEL_LPSS=y
 CONFIG_IOSF_MBI=y
 CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
 CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_PARAVIRT=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_PARAVIRT_SPINLOCKS=y
+# CONFIG_XEN is not set
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT_TIME_ACCOUNTING=y
+CONFIG_PARAVIRT_CLOCK=y
 CONFIG_NO_BOOTMEM=y
 # CONFIG_MK8 is not set
 # CONFIG_MK8SSE3 is not set
@@ -457,8 +469,8 @@ CONFIG_IOMMU_HELPER=y
 CONFIG_NR_CPUS=4
 CONFIG_SCHED_SMT=y
 CONFIG_SCHED_MC=y
-CONFIG_PREEMPT_NONE=y
-# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT_NONE is not set
+CONFIG_PREEMPT_VOLUNTARY=y
 # CONFIG_PREEMPT is not set
 CONFIG_X86_LOCAL_APIC=y
 CONFIG_X86_IO_APIC=y
@@ -494,6 +506,7 @@ CONFIG_NODES_SHIFT=6
 CONFIG_ARCH_SPARSEMEM_ENABLE=y
 CONFIG_ARCH_SPARSEMEM_DEFAULT=y
 CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
 CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
 CONFIG_SELECT_MEMORY_MODEL=y
 CONFIG_SPARSEMEM_MANUAL=y
@@ -509,8 +522,11 @@ CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
 CONFIG_ARCH_DISCARD_MEMBLOCK=y
 CONFIG_MEMORY_ISOLATION=y
 # CONFIG_MOVABLE_NODE is not set
-# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set
-# CONFIG_MEMORY_HOTPLUG is not set
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
+CONFIG_MEMORY_HOTREMOVE=y
 CONFIG_SPLIT_PTLOCK_CPUS=4
 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
 CONFIG_MEMORY_BALLOON=y
@@ -518,18 +534,21 @@ CONFIG_BALLOON_COMPACTION=y
 CONFIG_COMPACTION=y
 CONFIG_MIGRATION=y
 CONFIG_PHYS_ADDR_T_64BIT=y
-# CONFIG_BOUNCE is not set
+CONFIG_BOUNCE=y
 CONFIG_VIRT_TO_BUS=y
 CONFIG_MMU_NOTIFIER=y
-# CONFIG_KSM is not set
-CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+CONFIG_KSM=y
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
 CONFIG_MEMORY_FAILURE=y
-# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_TRANSPARENT_HUGEPAGE=y
+CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
+# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
+CONFIG_TRANSPARENT_HUGE_PAGECACHE=y
 CONFIG_CLEANCACHE=y
 CONFIG_FRONTSWAP=y
 # CONFIG_CMA is not set
-# CONFIG_ZSWAP is not set
+CONFIG_ZSWAP=y
 CONFIG_ZPOOL=y
 CONFIG_ZBUD=y
 CONFIG_Z3FOLD=y
@@ -537,7 +556,9 @@ CONFIG_ZSMALLOC=y
 # CONFIG_PGTABLE_MAPPING is not set
 CONFIG_GENERIC_EARLY_IOREMAP=y
 CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
+# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
 # CONFIG_IDLE_PAGE_TRACKING is not set
+CONFIG_ZONE_DEVICE=y
 CONFIG_FRAME_VECTOR=y
 CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
 CONFIG_ARCH_HAS_PKEYS=y
@@ -546,7 +567,9 @@ CONFIG_X86_CHECK_BIOS_CORRUPTION=y
 CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
 CONFIG_X86_RESERVE_LOW=64
 CONFIG_MTRR=y
-# CONFIG_MTRR_SANITIZER is not set
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
 CONFIG_X86_PAT=y
 CONFIG_ARCH_USES_PG_UNCACHED=y
 CONFIG_ARCH_RANDOM=y
@@ -554,7 +577,8 @@ CONFIG_X86_SMAP=y
 CONFIG_X86_INTEL_MPX=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_EFI=y
-# CONFIG_EFI_STUB is not set
+CONFIG_EFI_STUB=y
+CONFIG_EFI_MIXED=y
 CONFIG_SECCOMP=y
 # CONFIG_HZ_100 is not set
 # CONFIG_HZ_250 is not set
@@ -567,7 +591,9 @@ CONFIG_CRASH_DUMP=y
 CONFIG_PHYSICAL_START=0x1000000
 CONFIG_RELOCATABLE=y
 CONFIG_PHYSICAL_ALIGN=0x1000000
-# CONFIG_HOTPLUG_CPU is not set
+CONFIG_HOTPLUG_CPU=y
+# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
+# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
 CONFIG_LEGACY_VSYSCALL_EMULATE=y
 # CONFIG_LEGACY_VSYSCALL_NONE is not set
 # CONFIG_CMDLINE_BOOL is not set
@@ -575,6 +601,7 @@ CONFIG_LEGACY_VSYSCALL_EMULATE=y
 # CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set
 CONFIG_HAVE_LIVEPATCH=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
 CONFIG_USE_PERCPU_NUMA_NODE_ID=y
 
 #
@@ -583,6 +610,7 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y
 # CONFIG_SUSPEND is not set
 CONFIG_PM=y
 # CONFIG_PM_DEBUG is not set
+CONFIG_PM_OPP=y
 CONFIG_PM_CLK=y
 # CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
 CONFIG_ACPI=y
@@ -591,8 +619,8 @@ CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
 CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
 # CONFIG_ACPI_DEBUGGER is not set
 # CONFIG_ACPI_PROCFS_POWER is not set
-CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
-# CONFIG_ACPI_EC_DEBUGFS is not set
+# CONFIG_ACPI_REV_OVERRIDE_POSSIBLE is not set
+CONFIG_ACPI_EC_DEBUGFS=y
 CONFIG_ACPI_AC=y
 CONFIG_ACPI_BATTERY=y
 CONFIG_ACPI_BUTTON=y
@@ -603,7 +631,8 @@ CONFIG_ACPI_CPU_FREQ_PSS=y
 CONFIG_ACPI_PROCESSOR_CSTATE=y
 CONFIG_ACPI_PROCESSOR_IDLE=y
 CONFIG_ACPI_PROCESSOR=y
-# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_HOTPLUG_CPU=y
+CONFIG_ACPI_PROCESSOR_AGGREGATOR=y
 CONFIG_ACPI_THERMAL=y
 CONFIG_ACPI_NUMA=y
 # CONFIG_ACPI_CUSTOM_DSDT is not set
@@ -613,6 +642,7 @@ CONFIG_ACPI_TABLE_UPGRADE=y
 CONFIG_ACPI_PCI_SLOT=y
 CONFIG_X86_PM_TIMER=y
 CONFIG_ACPI_CONTAINER=y
+CONFIG_ACPI_HOTPLUG_MEMORY=y
 CONFIG_ACPI_HOTPLUG_IOAPIC=y
 CONFIG_ACPI_SBS=y
 CONFIG_ACPI_HED=y
@@ -626,16 +656,48 @@ CONFIG_ACPI_APEI_GHES=y
 CONFIG_ACPI_APEI_PCIEAER=y
 # CONFIG_ACPI_APEI_MEMORY_FAILURE is not set
 # CONFIG_ACPI_APEI_ERST_DEBUG is not set
-# CONFIG_DPTF_POWER is not set
+CONFIG_DPTF_POWER=y
 # CONFIG_ACPI_EXTLOG is not set
-# CONFIG_PMIC_OPREGION is not set
+CONFIG_PMIC_OPREGION=y
 CONFIG_ACPI_CONFIGFS=y
 CONFIG_SFI=y
 
 #
 # CPU Frequency scaling
 #
-# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_FREQ=y
+CONFIG_CPU_FREQ_GOV_ATTR_SET=y
+CONFIG_CPU_FREQ_GOV_COMMON=y
+# CONFIG_CPU_FREQ_STAT is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set
+CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
+# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set
+CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
+CONFIG_CPU_FREQ_GOV_POWERSAVE=y
+CONFIG_CPU_FREQ_GOV_USERSPACE=y
+CONFIG_CPU_FREQ_GOV_ONDEMAND=y
+CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y
+CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y
+
+#
+# CPU frequency scaling drivers
+#
+CONFIG_CPUFREQ_DT=y
+CONFIG_CPUFREQ_DT_PLATDEV=y
+CONFIG_X86_INTEL_PSTATE=y
+CONFIG_X86_PCC_CPUFREQ=y
+CONFIG_X86_ACPI_CPUFREQ=y
+# CONFIG_X86_POWERNOW_K8 is not set
+# CONFIG_X86_SPEEDSTEP_CENTRINO is not set
+# CONFIG_X86_P4_CLOCKMOD is not set
+
+#
+# shared options
+#
+# CONFIG_X86_SPEEDSTEP_LIB is not set
 
 #
 # CPU Idle
@@ -644,24 +706,25 @@ CONFIG_CPU_IDLE=y
 CONFIG_CPU_IDLE_GOV_LADDER=y
 CONFIG_CPU_IDLE_GOV_MENU=y
 # CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
-# CONFIG_INTEL_IDLE is not set
+CONFIG_INTEL_IDLE=y
 
 #
 # Memory power savings
 #
-# CONFIG_I7300_IDLE is not set
+CONFIG_I7300_IDLE_IOAT_CHANNEL=y
+CONFIG_I7300_IDLE=y
 
 #
 # Bus options (PCI etc.)
 #
 CONFIG_PCI=y
 CONFIG_PCI_DIRECT=y
-# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_MMCONFIG=y
 CONFIG_PCI_DOMAINS=y
 # CONFIG_PCI_CNB20LE_QUIRK is not set
 CONFIG_PCIEPORTBUS=y
 CONFIG_PCIEAER=y
-# CONFIG_PCIE_ECRC is not set
+CONFIG_PCIE_ECRC=y
 # CONFIG_PCIEAER_INJECT is not set
 CONFIG_PCIEASPM=y
 # CONFIG_PCIEASPM_DEBUG is not set
@@ -669,13 +732,13 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_PERFORMANCE is not set
 CONFIG_PCIE_PME=y
-# CONFIG_PCIE_DPC is not set
-# CONFIG_PCIE_PTM is not set
+CONFIG_PCIE_DPC=y
+CONFIG_PCIE_PTM=y
 CONFIG_PCI_BUS_ADDR_T_64BIT=y
 CONFIG_PCI_MSI=y
 CONFIG_PCI_MSI_IRQ_DOMAIN=y
 # CONFIG_PCI_DEBUG is not set
-# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+CONFIG_PCI_REALLOC_ENABLE_AUTO=y
 # CONFIG_PCI_STUB is not set
 CONFIG_HT_IRQ=y
 CONFIG_PCI_ATS=y
@@ -691,11 +754,11 @@ CONFIG_PCI_LABEL=y
 CONFIG_PCIE_DW_PLAT=y
 CONFIG_PCIE_DW=y
 # CONFIG_VMD is not set
-# CONFIG_ISA_BUS is not set
+CONFIG_ISA_BUS=y
 CONFIG_ISA_DMA_API=y
 # CONFIG_PCCARD is not set
 # CONFIG_RAPIDIO is not set
-CONFIG_X86_SYSFB=y
+# CONFIG_X86_SYSFB is not set
 
 #
 # Executable file formats / Emulations
@@ -706,7 +769,7 @@ CONFIG_ELFCORE=y
 CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
 CONFIG_BINFMT_SCRIPT=y
 # CONFIG_HAVE_AOUT is not set
-# CONFIG_BINFMT_MISC is not set
+CONFIG_BINFMT_MISC=y
 CONFIG_COREDUMP=y
 CONFIG_IA32_EMULATION=y
 CONFIG_IA32_AOUT=y
@@ -862,7 +925,6 @@ CONFIG_NETFILTER_XT_SET=y
 #
 # Xtables targets
 #
-CONFIG_NETFILTER_XT_TARGET_AUDIT=y
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
 CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
@@ -1242,10 +1304,11 @@ CONFIG_HAVE_EBPF_JIT=y
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
 CONFIG_STANDALONE=y
-CONFIG_PREVENT_FIRMWARE_BUILD=y
+# CONFIG_PREVENT_FIRMWARE_BUILD is not set
 CONFIG_FW_LOADER=y
 CONFIG_FIRMWARE_IN_KERNEL=y
-CONFIG_EXTRA_FIRMWARE=""
+CONFIG_EXTRA_FIRMWARE="iwlwifi-3160-17.ucode"
+CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware"
 CONFIG_FW_LOADER_USER_HELPER=y
 CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
 CONFIG_WANT_DEV_COREDUMP=y
@@ -1318,9 +1381,7 @@ CONFIG_VIRTIO_BLK=y
 # CONFIG_BLK_DEV_HD is not set
 # CONFIG_BLK_DEV_RBD is not set
 # CONFIG_BLK_DEV_RSXX is not set
-CONFIG_NVME_CORE=y
-CONFIG_BLK_DEV_NVME=y
-# CONFIG_BLK_DEV_NVME_SCSI is not set
+# CONFIG_BLK_DEV_NVME is not set
 # CONFIG_NVME_TARGET is not set
 
 #
@@ -1379,7 +1440,7 @@ CONFIG_INTEL_MEI_TXE=y
 #
 # Intel MIC Bus Driver
 #
-CONFIG_INTEL_MIC_BUS=y
+# CONFIG_INTEL_MIC_BUS is not set
 
 #
 # SCIF Bus Driver
@@ -1537,7 +1598,7 @@ CONFIG_SATA_AHCI_PLATFORM=y
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=y
 CONFIG_MD_AUTODETECT=y
-# CONFIG_MD_LINEAR is not set
+CONFIG_MD_LINEAR=y
 CONFIG_MD_RAID0=y
 CONFIG_MD_RAID1=y
 CONFIG_MD_RAID10=y
@@ -1571,7 +1632,13 @@ CONFIG_DM_UEVENT=y
 # CONFIG_DM_VERITY is not set
 # CONFIG_DM_SWITCH is not set
 # CONFIG_DM_LOG_WRITES is not set
-# CONFIG_TARGET_CORE is not set
+CONFIG_TARGET_CORE=y
+# CONFIG_TCM_IBLOCK is not set
+# CONFIG_TCM_FILEIO is not set
+# CONFIG_TCM_PSCSI is not set
+# CONFIG_TCM_USER2 is not set
+# CONFIG_LOOPBACK_TARGET is not set
+# CONFIG_ISCSI_TARGET is not set
 CONFIG_FUSION=y
 CONFIG_FUSION_SPI=y
 CONFIG_FUSION_FC=y
@@ -1747,11 +1814,10 @@ CONFIG_WLAN_VENDOR_INTEL=y
 # CONFIG_IPW2200 is not set
 # CONFIG_IWL4965 is not set
 # CONFIG_IWL3945 is not set
-CONFIG_IWLWIFI=m
+CONFIG_IWLWIFI=y
 CONFIG_IWLWIFI_LEDS=y
-CONFIG_IWLDVM=m
-CONFIG_IWLMVM=m
-CONFIG_IWLWIFI_OPMODE_MODULAR=y
+CONFIG_IWLDVM=y
+CONFIG_IWLMVM=y
 # CONFIG_IWLWIFI_BCAST_FILTERING is not set
 CONFIG_IWLWIFI_PCIE_RTPM=y
 
@@ -1843,6 +1909,7 @@ CONFIG_MOUSE_PS2_ELANTECH=y
 # CONFIG_MOUSE_PS2_SENTELIC is not set
 # CONFIG_MOUSE_PS2_TOUCHKIT is not set
 CONFIG_MOUSE_PS2_FOCALTECH=y
+# CONFIG_MOUSE_PS2_VMMOUSE is not set
 CONFIG_MOUSE_SERIAL=y
 # CONFIG_MOUSE_APPLETOUCH is not set
 # CONFIG_MOUSE_BCM5974 is not set
@@ -1962,7 +2029,7 @@ CONFIG_I2C_MUX=y
 # Multiplexer I2C Chip support
 #
 # CONFIG_I2C_ARB_GPIO_CHALLENGE is not set
-CONFIG_I2C_MUX_GPIO=y
+# CONFIG_I2C_MUX_GPIO is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
 # CONFIG_I2C_MUX_PCA954x is not set
 # CONFIG_I2C_MUX_PINCTRL is not set
@@ -1986,7 +2053,7 @@ CONFIG_I2C_ALGOBIT=y
 # CONFIG_I2C_AMD8111 is not set
 CONFIG_I2C_I801=y
 # CONFIG_I2C_ISCH is not set
-# CONFIG_I2C_ISMT is not set
+CONFIG_I2C_ISMT=y
 # CONFIG_I2C_PIIX4 is not set
 # CONFIG_I2C_NFORCE2 is not set
 # CONFIG_I2C_SIS5595 is not set
@@ -2007,7 +2074,7 @@ CONFIG_I2C_SCMI=y
 CONFIG_I2C_DESIGNWARE_CORE=y
 CONFIG_I2C_DESIGNWARE_PLATFORM=y
 CONFIG_I2C_DESIGNWARE_PCI=y
-# CONFIG_I2C_DESIGNWARE_BAYTRAIL is not set
+CONFIG_I2C_DESIGNWARE_BAYTRAIL=y
 # CONFIG_I2C_EMEV2 is not set
 # CONFIG_I2C_GPIO is not set
 # CONFIG_I2C_OCORES is not set
@@ -2048,9 +2115,9 @@ CONFIG_SPI_BITBANG=y
 # CONFIG_SPI_CADENCE is not set
 CONFIG_SPI_DESIGNWARE=y
 CONFIG_SPI_DW_PCI=y
-# CONFIG_SPI_DW_MID_DMA is not set
+CONFIG_SPI_DW_MID_DMA=y
 CONFIG_SPI_DW_MMIO=y
-CONFIG_SPI_GPIO=y
+# CONFIG_SPI_GPIO is not set
 # CONFIG_SPI_FSL_SPI is not set
 # CONFIG_SPI_OC_TINY is not set
 # CONFIG_SPI_PXA2XX is not set
@@ -2067,7 +2134,7 @@ CONFIG_SPI_GPIO=y
 # CONFIG_SPI_SPIDEV is not set
 # CONFIG_SPI_LOOPBACK_TEST is not set
 # CONFIG_SPI_TLE62X0 is not set
-# CONFIG_SPMI is not set
+CONFIG_SPMI=y
 # CONFIG_HSI is not set
 
 #
@@ -2108,7 +2175,7 @@ CONFIG_GPIOLIB=y
 CONFIG_OF_GPIO=y
 CONFIG_GPIO_ACPI=y
 # CONFIG_DEBUG_GPIO is not set
-CONFIG_GPIO_SYSFS=y
+# CONFIG_GPIO_SYSFS is not set
 
 #
 # Memory mapped GPIO drivers
@@ -2119,7 +2186,7 @@ CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_DWAPB is not set
 # CONFIG_GPIO_GENERIC_PLATFORM is not set
 # CONFIG_GPIO_GRGPIO is not set
-CONFIG_GPIO_ICH=y
+# CONFIG_GPIO_ICH is not set
 # CONFIG_GPIO_LYNXPOINT is not set
 # CONFIG_GPIO_MOCKUP is not set
 # CONFIG_GPIO_VX855 is not set
@@ -2129,10 +2196,15 @@ CONFIG_GPIO_ICH=y
 #
 # Port-mapped I/O GPIO drivers
 #
+# CONFIG_GPIO_104_DIO_48E is not set
+# CONFIG_GPIO_104_IDIO_16 is not set
+# CONFIG_GPIO_104_IDI_48 is not set
 # CONFIG_GPIO_F7188X is not set
+# CONFIG_GPIO_GPIO_MM is not set
 # CONFIG_GPIO_IT87 is not set
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SCH311X is not set
+# CONFIG_GPIO_WS16C48 is not set
 
 #
 # I2C GPIO expanders
@@ -2176,7 +2248,34 @@ CONFIG_GPIO_ICH=y
 #
 # USB GPIO expanders
 #
-# CONFIG_W1 is not set
+CONFIG_W1=y
+CONFIG_W1_CON=y
+
+#
+# 1-wire Bus Masters
+#
+# CONFIG_W1_MASTER_MATROX is not set
+# CONFIG_W1_MASTER_DS2490 is not set
+# CONFIG_W1_MASTER_DS2482 is not set
+# CONFIG_W1_MASTER_DS1WM is not set
+# CONFIG_W1_MASTER_GPIO is not set
+
+#
+# 1-wire Slaves
+#
+CONFIG_W1_SLAVE_THERM=y
+# CONFIG_W1_SLAVE_SMEM is not set
+# CONFIG_W1_SLAVE_DS2408 is not set
+# CONFIG_W1_SLAVE_DS2413 is not set
+# CONFIG_W1_SLAVE_DS2406 is not set
+# CONFIG_W1_SLAVE_DS2423 is not set
+# CONFIG_W1_SLAVE_DS2431 is not set
+# CONFIG_W1_SLAVE_DS2433 is not set
+# CONFIG_W1_SLAVE_DS2760 is not set
+# CONFIG_W1_SLAVE_DS2780 is not set
+# CONFIG_W1_SLAVE_DS2781 is not set
+# CONFIG_W1_SLAVE_DS28E04 is not set
+# CONFIG_W1_SLAVE_BQ27000 is not set
 # CONFIG_POWER_AVS is not set
 # CONFIG_POWER_RESET is not set
 CONFIG_POWER_SUPPLY=y
@@ -2190,7 +2289,6 @@ CONFIG_POWER_SUPPLY=y
 # CONFIG_BATTERY_BQ27XXX is not set
 # CONFIG_BATTERY_MAX17040 is not set
 # CONFIG_BATTERY_MAX17042 is not set
-# CONFIG_CHARGER_ISP1704 is not set
 # CONFIG_CHARGER_MAX8903 is not set
 # CONFIG_CHARGER_LP8727 is not set
 # CONFIG_CHARGER_GPIO is not set
@@ -2361,12 +2459,14 @@ CONFIG_THERMAL_GOV_STEP_WISE=y
 # CONFIG_THERMAL_GOV_BANG_BANG is not set
 CONFIG_THERMAL_GOV_USER_SPACE=y
 CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y
+# CONFIG_CPU_THERMAL is not set
+# CONFIG_CLOCK_THERMAL is not set
+# CONFIG_DEVFREQ_THERMAL is not set
 # CONFIG_THERMAL_EMULATION is not set
 # CONFIG_QORIQ_THERMAL is not set
 # CONFIG_INTEL_POWERCLAMP is not set
 CONFIG_X86_PKG_TEMP_THERMAL=y
-CONFIG_INTEL_SOC_DTS_IOSF_CORE=y
-CONFIG_INTEL_SOC_DTS_THERMAL=y
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
 
 #
 # ACPI INT340X thermal drivers
@@ -2375,7 +2475,7 @@ CONFIG_INTEL_SOC_DTS_THERMAL=y
 CONFIG_INTEL_PCH_THERMAL=y
 CONFIG_WATCHDOG=y
 CONFIG_WATCHDOG_CORE=y
-CONFIG_WATCHDOG_NOWAYOUT=y
+# CONFIG_WATCHDOG_NOWAYOUT is not set
 CONFIG_WATCHDOG_SYSFS=y
 
 #
@@ -2393,6 +2493,7 @@ CONFIG_WATCHDOG_SYSFS=y
 # CONFIG_ADVANTECH_WDT is not set
 # CONFIG_ALIM1535_WDT is not set
 # CONFIG_ALIM7101_WDT is not set
+# CONFIG_EBC_C384_WDT is not set
 # CONFIG_F71808E_WDT is not set
 # CONFIG_SP5100_TCO is not set
 # CONFIG_SBC_FITPC2_WATCHDOG is not set
@@ -2444,18 +2545,7 @@ CONFIG_SSB_POSSIBLE=y
 #
 # Sonics Silicon Backplane
 #
-CONFIG_SSB=y
-CONFIG_SSB_SPROM=y
-CONFIG_SSB_PCIHOST_POSSIBLE=y
-CONFIG_SSB_PCIHOST=y
-# CONFIG_SSB_B43_PCI_BRIDGE is not set
-CONFIG_SSB_SDIOHOST_POSSIBLE=y
-# CONFIG_SSB_SDIOHOST is not set
-# CONFIG_SSB_SILENT is not set
-# CONFIG_SSB_DEBUG is not set
-CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y
-CONFIG_SSB_DRIVER_PCICORE=y
-# CONFIG_SSB_DRIVER_GPIO is not set
+# CONFIG_SSB is not set
 CONFIG_BCMA_POSSIBLE=y
 
 #
@@ -2751,7 +2841,7 @@ CONFIG_AGP_INTEL=y
 # CONFIG_AGP_VIA is not set
 CONFIG_INTEL_GTT=y
 CONFIG_VGA_ARB=y
-CONFIG_VGA_ARB_MAX_GPUS=1
+CONFIG_VGA_ARB_MAX_GPUS=2
 # CONFIG_VGA_SWITCHEROO is not set
 CONFIG_DRM=y
 CONFIG_DRM_MIPI_DSI=y
@@ -3047,13 +3137,13 @@ CONFIG_SND_HDA_RECONFIG=y
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INPUT_BEEP_MODE=1
 # CONFIG_SND_HDA_PATCH_LOADER is not set
-CONFIG_SND_HDA_CODEC_REALTEK=y
-# CONFIG_SND_HDA_CODEC_ANALOG is not set
+# CONFIG_SND_HDA_CODEC_REALTEK is not set
+CONFIG_SND_HDA_CODEC_ANALOG=y
 # CONFIG_SND_HDA_CODEC_SIGMATEL is not set
 # CONFIG_SND_HDA_CODEC_VIA is not set
 CONFIG_SND_HDA_CODEC_HDMI=y
 # CONFIG_SND_HDA_CODEC_CIRRUS is not set
-# CONFIG_SND_HDA_CODEC_CONEXANT is not set
+CONFIG_SND_HDA_CODEC_CONEXANT=y
 # CONFIG_SND_HDA_CODEC_CA0110 is not set
 # CONFIG_SND_HDA_CODEC_CA0132 is not set
 # CONFIG_SND_HDA_CODEC_CMEDIA is not set
@@ -3177,10 +3267,9 @@ CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
 #
 CONFIG_USB_DEFAULT_PERSIST=y
 # CONFIG_USB_DYNAMIC_MINORS is not set
-CONFIG_USB_OTG=y
+# CONFIG_USB_OTG is not set
 # CONFIG_USB_OTG_WHITELIST is not set
 # CONFIG_USB_OTG_BLACKLIST_HUB is not set
-CONFIG_USB_OTG_FSM=y
 # CONFIG_USB_LEDS_TRIGGER_USBPORT is not set
 CONFIG_USB_MON=y
 # CONFIG_USB_WUSB_CBAF is not set
@@ -3204,12 +3293,10 @@ CONFIG_USB_EHCI_HCD_PLATFORM=y
 # CONFIG_USB_MAX3421_HCD is not set
 CONFIG_USB_OHCI_HCD=y
 CONFIG_USB_OHCI_HCD_PCI=y
-# CONFIG_USB_OHCI_HCD_SSB is not set
-# CONFIG_USB_OHCI_HCD_PLATFORM is not set
+CONFIG_USB_OHCI_HCD_PLATFORM=y
 CONFIG_USB_UHCI_HCD=y
 # CONFIG_USB_SL811_HCD is not set
 # CONFIG_USB_R8A66597_HCD is not set
-# CONFIG_USB_HCD_SSB is not set
 # CONFIG_USB_HCD_TEST_MODE is not set
 
 #
@@ -3251,23 +3338,8 @@ CONFIG_USB_UAS=y
 # CONFIG_USB_MICROTEK is not set
 # CONFIG_USBIP_CORE is not set
 # CONFIG_USB_MUSB_HDRC is not set
-CONFIG_USB_DWC3=y
-CONFIG_USB_DWC3_HOST=y
-
-#
-# Platform Glue Driver Support
-#
-CONFIG_USB_DWC3_PCI=y
-CONFIG_USB_DWC3_OF_SIMPLE=y
-CONFIG_USB_DWC2=y
-CONFIG_USB_DWC2_HOST=y
-
-#
-# Gadget/Dual-role mode requires USB Gadget support to be enabled
-#
-# CONFIG_USB_DWC2_PCI is not set
-# CONFIG_USB_DWC2_DEBUG is not set
-# CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set
+# CONFIG_USB_DWC3 is not set
+# CONFIG_USB_DWC2 is not set
 # CONFIG_USB_CHIPIDEA is not set
 # CONFIG_USB_ISP1760 is not set
 
@@ -3359,13 +3431,13 @@ CONFIG_USB_SERIAL_FTDI_SIO=y
 #
 # USB Physical Layer drivers
 #
-CONFIG_USB_PHY=y
+# CONFIG_USB_PHY is not set
 # CONFIG_NOP_USB_XCEIV is not set
 # CONFIG_USB_GPIO_VBUS is not set
 # CONFIG_USB_ISP1301 is not set
 # CONFIG_USB_GADGET is not set
-# CONFIG_USB_LED_TRIG is not set
-# CONFIG_USB_ULPI_BUS is not set
+CONFIG_USB_LED_TRIG=y
+CONFIG_USB_ULPI_BUS=y
 # CONFIG_UWB is not set
 CONFIG_MMC=y
 # CONFIG_MMC_DEBUG is not set
@@ -3398,7 +3470,7 @@ CONFIG_MMC_SPI=y
 # CONFIG_MMC_CB710 is not set
 # CONFIG_MMC_VIA_SDMMC is not set
 # CONFIG_MMC_VUB300 is not set
-# CONFIG_MMC_USHC is not set
+CONFIG_MMC_USHC=y
 # CONFIG_MMC_USDHI6ROL0 is not set
 # CONFIG_MMC_TOSHIBA_PCI is not set
 # CONFIG_MMC_MTK is not set
@@ -3465,7 +3537,24 @@ CONFIG_LEDS_TRIGGERS=y
 # CONFIG_INFINIBAND is not set
 CONFIG_EDAC_ATOMIC_SCRUB=y
 CONFIG_EDAC_SUPPORT=y
-# CONFIG_EDAC is not set
+CONFIG_EDAC=y
+# CONFIG_EDAC_LEGACY_SYSFS is not set
+# CONFIG_EDAC_DEBUG is not set
+CONFIG_EDAC_MM_EDAC=y
+CONFIG_EDAC_GHES=y
+# CONFIG_EDAC_E752X is not set
+# CONFIG_EDAC_I82975X is not set
+# CONFIG_EDAC_I3000 is not set
+# CONFIG_EDAC_I3200 is not set
+# CONFIG_EDAC_IE31200 is not set
+# CONFIG_EDAC_X38 is not set
+# CONFIG_EDAC_I5400 is not set
+# CONFIG_EDAC_I7CORE is not set
+# CONFIG_EDAC_I5000 is not set
+# CONFIG_EDAC_I5100 is not set
+# CONFIG_EDAC_I7300 is not set
+CONFIG_EDAC_SBRIDGE=y
+# CONFIG_EDAC_SKX is not set
 CONFIG_RTC_LIB=y
 CONFIG_RTC_MC146818_LIB=y
 CONFIG_RTC_CLASS=y
@@ -3581,11 +3670,10 @@ CONFIG_DMA_OF=y
 # CONFIG_FSL_EDMA is not set
 CONFIG_INTEL_IDMA64=y
 CONFIG_INTEL_IOATDMA=y
-CONFIG_INTEL_MIC_X100_DMA=y
 # CONFIG_QCOM_HIDMA_MGMT is not set
 # CONFIG_QCOM_HIDMA is not set
 CONFIG_DW_DMAC_CORE=y
-# CONFIG_DW_DMAC is not set
+CONFIG_DW_DMAC=y
 CONFIG_DW_DMAC_PCI=y
 CONFIG_HSU_DMA=y
 
@@ -3601,7 +3689,8 @@ CONFIG_DMA_ENGINE_RAID=y
 #
 # CONFIG_SYNC_FILE is not set
 CONFIG_DCA=y
-# CONFIG_AUXDISPLAY is not set
+CONFIG_AUXDISPLAY=y
+# CONFIG_IMG_ASCII_LCD is not set
 CONFIG_UIO=y
 # CONFIG_UIO_CIF is not set
 # CONFIG_UIO_PDRV_GENIRQ is not set
@@ -3621,7 +3710,7 @@ CONFIG_VIRTIO=y
 # Virtio drivers
 #
 CONFIG_VIRTIO_PCI=y
-CONFIG_VIRTIO_PCI_LEGACY=y
+# CONFIG_VIRTIO_PCI_LEGACY is not set
 CONFIG_VIRTIO_BALLOON=y
 CONFIG_VIRTIO_INPUT=y
 CONFIG_VIRTIO_MMIO=y
@@ -3630,6 +3719,7 @@ CONFIG_VIRTIO_MMIO=y
 #
 # Microsoft Hyper-V guest support
 #
+# CONFIG_HYPERV is not set
 # CONFIG_STAGING is not set
 CONFIG_X86_PLATFORM_DEVICES=y
 # CONFIG_ACER_WMI is not set
@@ -3726,7 +3816,7 @@ CONFIG_INTEL_IOMMU=y
 CONFIG_INTEL_IOMMU_SVM=y
 CONFIG_INTEL_IOMMU_DEFAULT_ON=y
 CONFIG_INTEL_IOMMU_FLOPPY_WA=y
-# CONFIG_IRQ_REMAP is not set
+CONFIG_IRQ_REMAP=y
 
 #
 # Remoteproc drivers
@@ -3746,7 +3836,21 @@ CONFIG_INTEL_IOMMU_FLOPPY_WA=y
 #
 # CONFIG_SUNXI_SRAM is not set
 # CONFIG_SOC_TI is not set
-# CONFIG_PM_DEVFREQ is not set
+CONFIG_PM_DEVFREQ=y
+
+#
+# DEVFREQ Governors
+#
+# CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND is not set
+# CONFIG_DEVFREQ_GOV_PERFORMANCE is not set
+# CONFIG_DEVFREQ_GOV_POWERSAVE is not set
+# CONFIG_DEVFREQ_GOV_USERSPACE is not set
+# CONFIG_DEVFREQ_GOV_PASSIVE is not set
+
+#
+# DEVFREQ Drivers
+#
+# CONFIG_PM_DEVFREQ_EVENT is not set
 # CONFIG_EXTCON is not set
 # CONFIG_MEMORY is not set
 # CONFIG_IIO is not set
@@ -3766,8 +3870,9 @@ CONFIG_GENERIC_PHY=y
 # CONFIG_PHY_PXA_28NM_HSIC is not set
 # CONFIG_PHY_PXA_28NM_USB2 is not set
 # CONFIG_BCM_KONA_USB2_PHY is not set
-# CONFIG_PHY_SAMSUNG_USB2 is not set
-# CONFIG_POWERCAP is not set
+# CONFIG_PHY_TUSB1210 is not set
+CONFIG_POWERCAP=y
+CONFIG_INTEL_RAPL=y
 # CONFIG_MCB is not set
 
 #
@@ -3781,6 +3886,7 @@ CONFIG_RAS=y
 #
 # CONFIG_ANDROID is not set
 # CONFIG_LIBNVDIMM is not set
+# CONFIG_DEV_DAX is not set
 # CONFIG_NVMEM is not set
 # CONFIG_STM is not set
 # CONFIG_INTEL_TH is not set
@@ -3846,7 +3952,7 @@ CONFIG_BTRFS_FS_POSIX_ACL=y
 # CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
 # CONFIG_BTRFS_DEBUG is not set
 # CONFIG_BTRFS_ASSERT is not set
-CONFIG_NILFS2_FS=y
+# CONFIG_NILFS2_FS is not set
 CONFIG_F2FS_FS=y
 CONFIG_F2FS_FS_XATTR=y
 CONFIG_F2FS_FS_POSIX_ACL=y
@@ -3866,8 +3972,14 @@ CONFIG_DNOTIFY=y
 CONFIG_INOTIFY_USER=y
 CONFIG_FANOTIFY=y
 # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
-# CONFIG_QUOTA is not set
-# CONFIG_QUOTACTL is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_QUOTACTL_COMPAT=y
 # CONFIG_AUTOFS4_FS is not set
 CONFIG_FUSE_FS=y
 # CONFIG_CUSE is not set
@@ -4122,6 +4234,7 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21
 # CONFIG_RCU_EQS_DEBUG is not set
 # CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
 # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set
 # CONFIG_FAULT_INJECTION is not set
 CONFIG_USER_STACKTRACE_SUPPORT=y
 CONFIG_HAVE_FUNCTION_TRACER=y
@@ -4195,7 +4308,7 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0
 # CONFIG_OPTIMIZE_INLINING is not set
 # CONFIG_DEBUG_ENTRY is not set
 # CONFIG_DEBUG_NMI_SELFTEST is not set
-CONFIG_X86_DEBUG_FPU=y
+# CONFIG_X86_DEBUG_FPU is not set
 
 #
 # Security options
@@ -4207,29 +4320,11 @@ CONFIG_X86_DEBUG_FPU=y
 CONFIG_PAX_PER_CPU_PGD=y
 CONFIG_TASK_SIZE_MAX_SHIFT=42
 CONFIG_GRKERNSEC=y
-CONFIG_GRKERNSEC_CONFIG_AUTO=y
-# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
-# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
-CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
-# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
-# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
-CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
-CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
-# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
-# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
-# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
-CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
-# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
-# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set
-# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set
-CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
-
-#
-# Default Special Groups
-#
-CONFIG_GRKERNSEC_PROC_GID=1001
-CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005
-CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006
+# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
+CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
+CONFIG_GRKERNSEC_PROC_GID=4
+CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100
+CONFIG_GRKERNSEC_SYMLINKOWN_GID=15
 
 #
 # Customize Configuration
@@ -4244,7 +4339,7 @@ CONFIG_PAX=y
 # PaX Control
 #
 # CONFIG_PAX_SOFTMODE is not set
-CONFIG_PAX_EI_PAX=y
+# CONFIG_PAX_EI_PAX is not set
 CONFIG_PAX_PT_PAX_FLAGS=y
 CONFIG_PAX_XATTR_PAX_FLAGS=y
 # CONFIG_PAX_NO_ACL_FLAGS is not set
@@ -4264,7 +4359,6 @@ CONFIG_PAX_KERNEXEC=y
 CONFIG_PAX_KERNEXEC_PLUGIN=y
 # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
 CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
-# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set
 
 #
 # Address Space Layout Randomization
@@ -4306,14 +4400,14 @@ CONFIG_GRKERNSEC_BRUTE=y
 CONFIG_GRKERNSEC_MODHARDEN=y
 CONFIG_GRKERNSEC_HIDESYM=y
 CONFIG_GRKERNSEC_RANDSTRUCT=y
-# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set
+CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GRKERNSEC_KERN_LOCKOUT=y
 
 #
 # Role Based Access Control Options
 #
 # CONFIG_GRKERNSEC_NO_RBAC is not set
-# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
+CONFIG_GRKERNSEC_ACL_HIDEKERN=y
 CONFIG_GRKERNSEC_ACL_MAXTRIES=3
 CONFIG_GRKERNSEC_ACL_TIMEOUT=30
 
@@ -4327,7 +4421,7 @@ CONFIG_GRKERNSEC_PROC_ADD=y
 CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_SYMLINKOWN=y
 CONFIG_GRKERNSEC_FIFO=y
-CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
+# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
 CONFIG_GRKERNSEC_ROFS=y
 CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
 CONFIG_GRKERNSEC_CHROOT=y
@@ -4351,7 +4445,7 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y
 # Kernel Auditing
 #
 CONFIG_GRKERNSEC_AUDIT_GROUP=y
-CONFIG_GRKERNSEC_AUDIT_GID=1007
+CONFIG_GRKERNSEC_AUDIT_GID=99
 CONFIG_GRKERNSEC_EXECLOG=y
 CONFIG_GRKERNSEC_RESLOG=y
 CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
@@ -4376,7 +4470,7 @@ CONFIG_GRKERNSEC_HARDEN_TTY=y
 CONFIG_GRKERNSEC_TPE=y
 CONFIG_GRKERNSEC_TPE_ALL=y
 CONFIG_GRKERNSEC_TPE_INVERT=y
-CONFIG_GRKERNSEC_TPE_GID=1005
+CONFIG_GRKERNSEC_TPE_GID=100
 
 #
 # Network Protections
@@ -4385,24 +4479,24 @@ CONFIG_GRKERNSEC_BLACKHOLE=y
 CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
 CONFIG_GRKERNSEC_SOCKET=y
 CONFIG_GRKERNSEC_SOCKET_ALL=y
-CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=200
 CONFIG_GRKERNSEC_SOCKET_CLIENT=y
-CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15
 CONFIG_GRKERNSEC_SOCKET_SERVER=y
-CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99
 
 #
 # Physical Protections
 #
 CONFIG_GRKERNSEC_DENYUSB=y
-CONFIG_GRKERNSEC_DENYUSB_FORCE=y
+# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
 
 #
 # Sysctl Support
 #
 CONFIG_GRKERNSEC_SYSCTL=y
 CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
-CONFIG_GRKERNSEC_SYSCTL_ON=y
+# CONFIG_GRKERNSEC_SYSCTL_ON is not set
 
 #
 # Logging Options
@@ -4423,14 +4517,12 @@ CONFIG_SECURITY_PATH=y
 # CONFIG_INTEL_TXT is not set
 CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
 CONFIG_HARDENED_USERCOPY=y
-# CONFIG_SECURITY_SELINUX is not set
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
-CONFIG_INTEGRITY_AUDIT=y
 # CONFIG_IMA is not set
 # CONFIG_EVM is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
@@ -4510,7 +4602,7 @@ CONFIG_CRYPTO_HMAC=y
 # Digest
 #
 CONFIG_CRYPTO_CRC32C=y
-# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_CRC32C_INTEL=y
 CONFIG_CRYPTO_CRC32=y
 # CONFIG_CRYPTO_CRC32_PCLMUL is not set
 CONFIG_CRYPTO_CRCT10DIF=y
@@ -4580,7 +4672,7 @@ CONFIG_CRYPTO_DES=y
 # Compression
 #
 CONFIG_CRYPTO_DEFLATE=y
-# CONFIG_CRYPTO_LZO is not set
+CONFIG_CRYPTO_LZO=y
 # CONFIG_CRYPTO_842 is not set
 # CONFIG_CRYPTO_LZ4 is not set
 # CONFIG_CRYPTO_LZ4HC is not set
@@ -4635,6 +4727,7 @@ CONFIG_KVM_INTEL=y
 # CONFIG_KVM_AMD is not set
 # CONFIG_KVM_DEVICE_ASSIGNMENT is not set
 CONFIG_VHOST_NET=y
+CONFIG_VHOST_SCSI=m
 CONFIG_VHOST_VSOCK=y
 CONFIG_VHOST=y
 CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y
@@ -4678,11 +4771,11 @@ CONFIG_LZO_DECOMPRESS=y
 CONFIG_LZ4_DECOMPRESS=y
 CONFIG_XZ_DEC=y
 CONFIG_XZ_DEC_X86=y
-CONFIG_XZ_DEC_POWERPC=y
-CONFIG_XZ_DEC_IA64=y
-CONFIG_XZ_DEC_ARM=y
-CONFIG_XZ_DEC_ARMTHUMB=y
-CONFIG_XZ_DEC_SPARC=y
+# CONFIG_XZ_DEC_POWERPC is not set
+# CONFIG_XZ_DEC_IA64 is not set
+# CONFIG_XZ_DEC_ARM is not set
+# CONFIG_XZ_DEC_ARMTHUMB is not set
+# CONFIG_XZ_DEC_SPARC is not set
 CONFIG_XZ_DEC_BCJ=y
 # CONFIG_XZ_DEC_TEST is not set
 CONFIG_DECOMPRESS_GZIP=y
@@ -4697,6 +4790,7 @@ CONFIG_TEXTSEARCH_KMP=y
 CONFIG_TEXTSEARCH_BM=y
 CONFIG_TEXTSEARCH_FSM=y
 CONFIG_INTERVAL_TREE=y
+CONFIG_RADIX_TREE_MULTIORDER=y
 CONFIG_ASSOCIATIVE_ARRAY=y
 CONFIG_HAS_IOMEM=y
 CONFIG_HAS_IOPORT_MAP=y
diff --git a/core/ports/linux-blob/port-blob-grsecurity.patch b/core/ports/linux-blob/port-blob-grsecurity.patch
index 22d4580..ba2fb6d 100644
--- a/core/ports/linux-blob/port-blob-grsecurity.patch
+++ b/core/ports/linux-blob/port-blob-grsecurity.patch
@@ -1,5 +1,5 @@
---- grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 05:14:08.682388834 +0000
-+++ grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 05:15:45.579051680 +0000
+--- grsecurity-3.1-4.9.12-201702231830.patch	2017-02-18 05:14:08.682388834 +0000
++++ grsecurity-3.1-4.9.12-201702231830.patch	2017-02-18 05:15:45.579051680 +0000
 -diff --git a/localversion-grsec b/localversion-grsec
 -new file mode 100644
 -index 0000000..7cd6065
@@ -10,8 +10,8 @@
  diff --git a/mm/Kconfig b/mm/Kconfig
  index 86e3e0e..ab679cf 100644
  --- a/mm/Kconfig
---- grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 09:07:57.220274062 +0000
-+++ grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 09:08:16.380274647 +0000
+--- grsecurity-3.1-4.9.12-201702231830.patch	2017-02-18 09:07:57.220274062 +0000
++++ grsecurity-3.1-4.9.12-201702231830.patch	2017-02-18 09:08:16.380274647 +0000
 @@ -156547,13 +156547,6 @@
   			break;
   		}
diff --git a/core/ports/linux-blob/port-blob-make.patch b/core/ports/linux-blob/port-blob-make.patch
index 368d592..67ee22e 100644
--- a/core/ports/linux-blob/port-blob-make.patch
+++ b/core/ports/linux-blob/port-blob-make.patch
@@ -3,7 +3,7 @@
 @@ -1,7 +1,7 @@
  VERSION = 4
  PATCHLEVEL = 9
- SUBLEVEL = 11
+ SUBLEVEL = 12
 -EXTRAVERSION =
 +EXTRAVERSION = -blob
  NAME = Roaring Lionus
diff --git a/core/ports/linux-libre/.footprint b/core/ports/linux-libre/.footprint
index 1279a5d..7532882 100644
--- a/core/ports/linux-libre/.footprint
+++ b/core/ports/linux-libre/.footprint
@@ -1,59 +1,52 @@
 drwxr-xr-x	root/root	boot/
--rw-r--r--	root/root	boot/System.map-4.9.11-grsec
--rw-r--r--	root/root	boot/config-4.9.11-grsec
--rw-r--r--	root/root	boot/vmlinuz-4.9.11-grsec
+-rw-r--r--	root/root	boot/System.map-4.9.12-grsec
+-rw-r--r--	root/root	boot/config-4.9.12-grsec
+-rw-r--r--	root/root	boot/vmlinuz-4.9.12-grsec
 drwxr-xr-x	root/root	lib/
 drwxr-xr-x	root/root	lib/modules/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/
-lrwxrwxrwx	root/root	lib/modules/4.9.11-grsec/build -> /usr/src/linux-4.9.11
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/fs/
-drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/fs/ntfs/
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/fs/ntfs/ntfs.ko
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.alias
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.alias.bin
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.builtin
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.builtin.bin
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.dep
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.dep.bin
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.devname (EMPTY)
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.order
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.softdep
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.symbols
--rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.symbols.bin
-lrwxrwxrwx	root/root	lib/modules/4.9.11-grsec/source -> /usr/src/linux-4.9.11
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/
+lrwxrwxrwx	root/root	lib/modules/4.9.12-grsec/build -> /usr/src/linux-4.9.12
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/drivers/
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/platform/
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/usb/
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/usb/gspca/
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/usb/uvc/
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/drivers/vhost/
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/drivers/vhost/vhost_scsi.ko.gz
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/fs/
+drwxr-xr-x	root/root	lib/modules/4.9.12-grsec/kernel/fs/ntfs/
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/kernel/fs/ntfs/ntfs.ko.gz
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.alias
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.alias.bin
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.builtin
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.builtin.bin
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.dep (EMPTY)
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.dep.bin
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.devname (EMPTY)
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.order
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.softdep
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.symbols
+-rw-r--r--	root/root	lib/modules/4.9.12-grsec/modules.symbols.bin
+lrwxrwxrwx	root/root	lib/modules/4.9.12-grsec/source -> /usr/src/linux-4.9.12
 drwxr-xr-x	root/root	usr/
 drwxr-xr-x	root/root	usr/src/
--rw-r--r--	root/root	usr/src/4.9.11-cpu_optimizations.patch
--rw-r--r--	root/root	usr/src/4.9.11-libre-config
--rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.11-201702181444.patch
+-rw-r--r--	root/root	usr/src/4.9.12-cpu_optimizations.patch
+-rw-r--r--	root/root	usr/src/4.9.12-libre-config
+-rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.12-201702231830.patch
 -rw-r--r--	root/root	usr/src/port-libre-cpu.patch
 -rw-r--r--	root/root	usr/src/port-libre-grsecurity.patch
 -rw-r--r--	root/root	usr/src/port-libre-make.patch
diff --git a/core/ports/linux-libre/.md5sum b/core/ports/linux-libre/.md5sum
index ddd1878..cef0720 100644
--- a/core/ports/linux-libre/.md5sum
+++ b/core/ports/linux-libre/.md5sum
@@ -1,7 +1,7 @@
-bf30b0af56c2621e317cab5e44d4235e  config-c9
+4cfe0909ea898be7ccc712ab162be13d  config-c9
 00bc0d70f200c2673fe7dd6f02053fa4  enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
-e4eb7eab3a40968c3bd4a0a19339a6a1  grsecurity-3.1-4.9.11-201702181444.patch
-2af743d6b73201d5db83c1ccb175ed30  linux-libre-4.9.11-gnu.tar.xz
+83b031b26dc0aeb3ccf8c45785253225  grsecurity-3.1-4.9.12-201702231830.patch
+5b1128ad1a2b482b03dd20866c095fda  linux-libre-4.9.12-gnu.tar.xz
 bcf38b0fbf7bd83323f3202ec082b15a  port-libre-cpu.patch
-f9b2f7572adec2c46c1f1be2b784490e  port-libre-grsecurity.patch
-ce88c28573de7b41ef686f4201d0abfa  port-libre-make.patch
+3a498293739a8a81f0741aaef9226812  port-libre-grsecurity.patch
+74ee54e8604788162c147b7e509b8c34  port-libre-make.patch
diff --git a/core/ports/linux-libre/Pkgfile b/core/ports/linux-libre/Pkgfile
index 154435f..e7f824d 100644
--- a/core/ports/linux-libre/Pkgfile
+++ b/core/ports/linux-libre/Pkgfile
@@ -4,11 +4,11 @@
 # Depends on:   grub2 dracut
 
 name=linux-libre
-version=4.9.11
-release=2
+version=4.9.12
+release=1
 source=(http://linux-libre.fsfla.org/pub/linux-libre/releases/$version-gnu/$name-$version-gnu.tar.xz \
     https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \
-    http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \
+    http://grsecurity.net/test/grsecurity-3.1-4.9.12-201702231830.patch \
     port-libre-grsecurity.patch \
     port-libre-cpu.patch \
     port-libre-make.patch \
@@ -24,7 +24,7 @@ build() {
     install -m 0644  $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch
 
     # /usr/src/grsecurity-version.patch
-    install -m 0644  $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/
+    install -m 0644  $SRC/grsecurity-3.1-4.9.12-201702231830.patch $PKG/usr/src/
     install -m 0644  $SRC/port-libre-grsecurity.patch $PKG/usr/src/
     install -m 0644  $SRC/port-libre-cpu.patch $PKG/usr/src/
     install -m 0644  $SRC/port-libre-make.patch $PKG/usr/src/
@@ -32,19 +32,22 @@ build() {
     patch < port-libre-grsecurity.patch
     patch < port-libre-cpu.patch
 
+    # fix to build under tpe
+    chmod -R go-w linux-$version
+
     cd linux-$version
 
     patch < ${SRC}/port-libre-make.patch
 
     make distclean
 
-    patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch
+    patch -p1 < $SRC/grsecurity-3.1-4.9.12-201702231830.patch
     patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
 
     cp $SRC/config-c9 .config
 
     make silentoldconfig
-    make nconfig
+    # make nconfig
     # make localmodconfig
 
     install -m 0644  .config $PKG/usr/src/${version}-libre-config
diff --git a/core/ports/linux-libre/config-c9 b/core/ports/linux-libre/config-c9
index 236d79e..0bd5108 100644
--- a/core/ports/linux-libre/config-c9
+++ b/core/ports/linux-libre/config-c9
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.11-grsec Kernel Configuration
+# Linux/x86 4.9.12-blob Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -62,10 +62,10 @@ CONFIG_HAVE_KERNEL_LZMA=y
 CONFIG_HAVE_KERNEL_XZ=y
 CONFIG_HAVE_KERNEL_LZO=y
 CONFIG_HAVE_KERNEL_LZ4=y
-# CONFIG_KERNEL_GZIP is not set
+CONFIG_KERNEL_GZIP=y
 # CONFIG_KERNEL_BZIP2 is not set
 # CONFIG_KERNEL_LZMA is not set
-CONFIG_KERNEL_XZ=y
+# CONFIG_KERNEL_XZ is not set
 # CONFIG_KERNEL_LZO is not set
 # CONFIG_KERNEL_LZ4 is not set
 CONFIG_DEFAULT_HOSTNAME="(none)"
@@ -76,11 +76,8 @@ CONFIG_POSIX_MQUEUE=y
 CONFIG_POSIX_MQUEUE_SYSCTL=y
 CONFIG_CROSS_MEMORY_ATTACH=y
 CONFIG_FHANDLE=y
-CONFIG_AUDIT=y
+# CONFIG_AUDIT is not set
 CONFIG_HAVE_ARCH_AUDITSYSCALL=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT_WATCH=y
-CONFIG_AUDIT_TREE=y
 
 #
 # IRQ subsystem
@@ -119,12 +116,13 @@ CONFIG_HIGH_RES_TIMERS=y
 #
 CONFIG_TICK_CPU_ACCOUNTING=y
 # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
-CONFIG_IRQ_TIME_ACCOUNTING=y
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
 CONFIG_BSD_PROCESS_ACCT=y
 CONFIG_BSD_PROCESS_ACCT_V3=y
 CONFIG_TASKSTATS=y
 CONFIG_TASK_DELAY_ACCT=y
-# CONFIG_TASK_XACCT is not set
+CONFIG_TASK_XACCT=y
+CONFIG_TASK_IO_ACCOUNTING=y
 
 #
 # RCU Subsystem
@@ -138,7 +136,7 @@ CONFIG_RCU_STALL_COMMON=y
 CONFIG_BUILD_BIN2C=y
 CONFIG_IKCONFIG=y
 CONFIG_IKCONFIG_PROC=y
-CONFIG_LOG_BUF_SHIFT=18
+CONFIG_LOG_BUF_SHIFT=19
 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
 CONFIG_NMI_LOG_BUF_SHIFT=13
 CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
@@ -149,14 +147,15 @@ CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y
 CONFIG_CGROUPS=y
 CONFIG_PAGE_COUNTER=y
 CONFIG_MEMCG=y
-# CONFIG_MEMCG_SWAP is not set
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
 CONFIG_BLK_CGROUP=y
-# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_DEBUG_BLK_CGROUP=y
 CONFIG_CGROUP_WRITEBACK=y
 CONFIG_CGROUP_SCHED=y
 CONFIG_FAIR_GROUP_SCHED=y
-# CONFIG_CFS_BANDWIDTH is not set
-# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_RT_GROUP_SCHED=y
 CONFIG_CGROUP_PIDS=y
 # CONFIG_CGROUP_FREEZER is not set
 CONFIG_CPUSETS=y
@@ -211,7 +210,7 @@ CONFIG_EPOLL=y
 CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
-# CONFIG_BPF_SYSCALL is not set
+CONFIG_BPF_SYSCALL=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
@@ -234,11 +233,13 @@ CONFIG_SLUB=y
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLUB_CPU_PARTIAL=y
 CONFIG_SYSTEM_DATA_VERIFICATION=y
-# CONFIG_PROFILING is not set
+CONFIG_PROFILING=y
+# CONFIG_OPROFILE is not set
 CONFIG_HAVE_OPROFILE=y
 CONFIG_OPROFILE_NMI_TIMER=y
 CONFIG_KPROBES=y
-# CONFIG_JUMP_LABEL is not set
+CONFIG_JUMP_LABEL=y
+# CONFIG_STATIC_KEYS_SELFTEST is not set
 CONFIG_OPTPROBES=y
 # CONFIG_UPROBES is not set
 # CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
@@ -279,8 +280,8 @@ CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
 CONFIG_HAVE_CC_STACKPROTECTOR=y
 CONFIG_CC_STACKPROTECTOR=y
 # CONFIG_CC_STACKPROTECTOR_NONE is not set
-CONFIG_CC_STACKPROTECTOR_REGULAR=y
-# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
+CONFIG_CC_STACKPROTECTOR_STRONG=y
 CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
 CONFIG_HAVE_CONTEXT_TRACKING=y
 CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
@@ -299,7 +300,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
 CONFIG_HAVE_COPY_THREAD_TLS=y
 CONFIG_HAVE_STACK_VALIDATION=y
 # CONFIG_HAVE_ARCH_HASH is not set
-# CONFIG_ISA_BUS_API is not set
+CONFIG_ISA_BUS_API=y
 CONFIG_OLD_SIGSUSPEND3=y
 CONFIG_COMPAT_OLD_SIGACTION=y
 # CONFIG_CPU_NO_EFFICIENT_FFS is not set
@@ -328,14 +329,16 @@ CONFIG_MODULE_SIG_SHA256=y
 # CONFIG_MODULE_SIG_SHA384 is not set
 # CONFIG_MODULE_SIG_SHA512 is not set
 CONFIG_MODULE_SIG_HASH="sha256"
-# CONFIG_MODULE_COMPRESS is not set
+CONFIG_MODULE_COMPRESS=y
+CONFIG_MODULE_COMPRESS_GZIP=y
+# CONFIG_MODULE_COMPRESS_XZ is not set
 CONFIG_TRIM_UNUSED_KSYMS=y
 CONFIG_MODULES_TREE_LOOKUP=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
 CONFIG_BLK_DEV_BSGLIB=y
 CONFIG_BLK_DEV_INTEGRITY=y
-# CONFIG_BLK_DEV_THROTTLING is not set
+CONFIG_BLK_DEV_THROTTLING=y
 # CONFIG_BLK_CMDLINE_PARSER is not set
 
 #
@@ -399,6 +402,7 @@ CONFIG_ZONE_DMA=y
 CONFIG_SMP=y
 CONFIG_X86_FEATURE_NAMES=y
 CONFIG_X86_FAST_FEATURE_TESTS=y
+CONFIG_X86_X2APIC=y
 CONFIG_X86_MPPARSE=y
 # CONFIG_GOLDFISH is not set
 # CONFIG_X86_EXTENDED_PLATFORM is not set
@@ -407,6 +411,14 @@ CONFIG_X86_INTEL_LPSS=y
 CONFIG_IOSF_MBI=y
 CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
 CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_PARAVIRT=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_PARAVIRT_SPINLOCKS=y
+# CONFIG_XEN is not set
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT_TIME_ACCOUNTING=y
+CONFIG_PARAVIRT_CLOCK=y
 CONFIG_NO_BOOTMEM=y
 # CONFIG_MK8 is not set
 # CONFIG_MK8SSE3 is not set
@@ -457,8 +469,8 @@ CONFIG_IOMMU_HELPER=y
 CONFIG_NR_CPUS=4
 CONFIG_SCHED_SMT=y
 CONFIG_SCHED_MC=y
-CONFIG_PREEMPT_NONE=y
-# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT_NONE is not set
+CONFIG_PREEMPT_VOLUNTARY=y
 # CONFIG_PREEMPT is not set
 CONFIG_X86_LOCAL_APIC=y
 CONFIG_X86_IO_APIC=y
@@ -494,6 +506,7 @@ CONFIG_NODES_SHIFT=6
 CONFIG_ARCH_SPARSEMEM_ENABLE=y
 CONFIG_ARCH_SPARSEMEM_DEFAULT=y
 CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
 CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
 CONFIG_SELECT_MEMORY_MODEL=y
 CONFIG_SPARSEMEM_MANUAL=y
@@ -509,8 +522,11 @@ CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
 CONFIG_ARCH_DISCARD_MEMBLOCK=y
 CONFIG_MEMORY_ISOLATION=y
 # CONFIG_MOVABLE_NODE is not set
-# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set
-# CONFIG_MEMORY_HOTPLUG is not set
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
+CONFIG_MEMORY_HOTREMOVE=y
 CONFIG_SPLIT_PTLOCK_CPUS=4
 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
 CONFIG_MEMORY_BALLOON=y
@@ -518,18 +534,21 @@ CONFIG_BALLOON_COMPACTION=y
 CONFIG_COMPACTION=y
 CONFIG_MIGRATION=y
 CONFIG_PHYS_ADDR_T_64BIT=y
-# CONFIG_BOUNCE is not set
+CONFIG_BOUNCE=y
 CONFIG_VIRT_TO_BUS=y
 CONFIG_MMU_NOTIFIER=y
-# CONFIG_KSM is not set
-CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+CONFIG_KSM=y
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
 CONFIG_MEMORY_FAILURE=y
-# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_TRANSPARENT_HUGEPAGE=y
+CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
+# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
+CONFIG_TRANSPARENT_HUGE_PAGECACHE=y
 CONFIG_CLEANCACHE=y
 CONFIG_FRONTSWAP=y
 # CONFIG_CMA is not set
-# CONFIG_ZSWAP is not set
+CONFIG_ZSWAP=y
 CONFIG_ZPOOL=y
 CONFIG_ZBUD=y
 CONFIG_Z3FOLD=y
@@ -537,7 +556,9 @@ CONFIG_ZSMALLOC=y
 # CONFIG_PGTABLE_MAPPING is not set
 CONFIG_GENERIC_EARLY_IOREMAP=y
 CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
+# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
 # CONFIG_IDLE_PAGE_TRACKING is not set
+CONFIG_ZONE_DEVICE=y
 CONFIG_FRAME_VECTOR=y
 CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
 CONFIG_ARCH_HAS_PKEYS=y
@@ -546,7 +567,9 @@ CONFIG_X86_CHECK_BIOS_CORRUPTION=y
 CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
 CONFIG_X86_RESERVE_LOW=64
 CONFIG_MTRR=y
-# CONFIG_MTRR_SANITIZER is not set
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
 CONFIG_X86_PAT=y
 CONFIG_ARCH_USES_PG_UNCACHED=y
 CONFIG_ARCH_RANDOM=y
@@ -554,7 +577,8 @@ CONFIG_X86_SMAP=y
 CONFIG_X86_INTEL_MPX=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_EFI=y
-# CONFIG_EFI_STUB is not set
+CONFIG_EFI_STUB=y
+CONFIG_EFI_MIXED=y
 CONFIG_SECCOMP=y
 # CONFIG_HZ_100 is not set
 # CONFIG_HZ_250 is not set
@@ -567,7 +591,9 @@ CONFIG_CRASH_DUMP=y
 CONFIG_PHYSICAL_START=0x1000000
 CONFIG_RELOCATABLE=y
 CONFIG_PHYSICAL_ALIGN=0x1000000
-# CONFIG_HOTPLUG_CPU is not set
+CONFIG_HOTPLUG_CPU=y
+# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
+# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
 CONFIG_LEGACY_VSYSCALL_EMULATE=y
 # CONFIG_LEGACY_VSYSCALL_NONE is not set
 # CONFIG_CMDLINE_BOOL is not set
@@ -575,6 +601,7 @@ CONFIG_LEGACY_VSYSCALL_EMULATE=y
 # CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set
 CONFIG_HAVE_LIVEPATCH=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
 CONFIG_USE_PERCPU_NUMA_NODE_ID=y
 
 #
@@ -583,6 +610,7 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y
 # CONFIG_SUSPEND is not set
 CONFIG_PM=y
 # CONFIG_PM_DEBUG is not set
+CONFIG_PM_OPP=y
 CONFIG_PM_CLK=y
 # CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
 CONFIG_ACPI=y
@@ -591,8 +619,8 @@ CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
 CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
 # CONFIG_ACPI_DEBUGGER is not set
 # CONFIG_ACPI_PROCFS_POWER is not set
-CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
-# CONFIG_ACPI_EC_DEBUGFS is not set
+# CONFIG_ACPI_REV_OVERRIDE_POSSIBLE is not set
+CONFIG_ACPI_EC_DEBUGFS=y
 CONFIG_ACPI_AC=y
 CONFIG_ACPI_BATTERY=y
 CONFIG_ACPI_BUTTON=y
@@ -603,7 +631,8 @@ CONFIG_ACPI_CPU_FREQ_PSS=y
 CONFIG_ACPI_PROCESSOR_CSTATE=y
 CONFIG_ACPI_PROCESSOR_IDLE=y
 CONFIG_ACPI_PROCESSOR=y
-# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_HOTPLUG_CPU=y
+CONFIG_ACPI_PROCESSOR_AGGREGATOR=y
 CONFIG_ACPI_THERMAL=y
 CONFIG_ACPI_NUMA=y
 # CONFIG_ACPI_CUSTOM_DSDT is not set
@@ -613,6 +642,7 @@ CONFIG_ACPI_TABLE_UPGRADE=y
 CONFIG_ACPI_PCI_SLOT=y
 CONFIG_X86_PM_TIMER=y
 CONFIG_ACPI_CONTAINER=y
+CONFIG_ACPI_HOTPLUG_MEMORY=y
 CONFIG_ACPI_HOTPLUG_IOAPIC=y
 CONFIG_ACPI_SBS=y
 CONFIG_ACPI_HED=y
@@ -626,16 +656,48 @@ CONFIG_ACPI_APEI_GHES=y
 CONFIG_ACPI_APEI_PCIEAER=y
 # CONFIG_ACPI_APEI_MEMORY_FAILURE is not set
 # CONFIG_ACPI_APEI_ERST_DEBUG is not set
-# CONFIG_DPTF_POWER is not set
+CONFIG_DPTF_POWER=y
 # CONFIG_ACPI_EXTLOG is not set
-# CONFIG_PMIC_OPREGION is not set
+CONFIG_PMIC_OPREGION=y
 CONFIG_ACPI_CONFIGFS=y
 CONFIG_SFI=y
 
 #
 # CPU Frequency scaling
 #
-# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_FREQ=y
+CONFIG_CPU_FREQ_GOV_ATTR_SET=y
+CONFIG_CPU_FREQ_GOV_COMMON=y
+# CONFIG_CPU_FREQ_STAT is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set
+CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
+# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set
+CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
+CONFIG_CPU_FREQ_GOV_POWERSAVE=y
+CONFIG_CPU_FREQ_GOV_USERSPACE=y
+CONFIG_CPU_FREQ_GOV_ONDEMAND=y
+CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y
+CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y
+
+#
+# CPU frequency scaling drivers
+#
+CONFIG_CPUFREQ_DT=y
+CONFIG_CPUFREQ_DT_PLATDEV=y
+CONFIG_X86_INTEL_PSTATE=y
+CONFIG_X86_PCC_CPUFREQ=y
+CONFIG_X86_ACPI_CPUFREQ=y
+# CONFIG_X86_POWERNOW_K8 is not set
+# CONFIG_X86_SPEEDSTEP_CENTRINO is not set
+# CONFIG_X86_P4_CLOCKMOD is not set
+
+#
+# shared options
+#
+# CONFIG_X86_SPEEDSTEP_LIB is not set
 
 #
 # CPU Idle
@@ -644,24 +706,25 @@ CONFIG_CPU_IDLE=y
 CONFIG_CPU_IDLE_GOV_LADDER=y
 CONFIG_CPU_IDLE_GOV_MENU=y
 # CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
-# CONFIG_INTEL_IDLE is not set
+CONFIG_INTEL_IDLE=y
 
 #
 # Memory power savings
 #
-# CONFIG_I7300_IDLE is not set
+CONFIG_I7300_IDLE_IOAT_CHANNEL=y
+CONFIG_I7300_IDLE=y
 
 #
 # Bus options (PCI etc.)
 #
 CONFIG_PCI=y
 CONFIG_PCI_DIRECT=y
-# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_MMCONFIG=y
 CONFIG_PCI_DOMAINS=y
 # CONFIG_PCI_CNB20LE_QUIRK is not set
 CONFIG_PCIEPORTBUS=y
 CONFIG_PCIEAER=y
-# CONFIG_PCIE_ECRC is not set
+CONFIG_PCIE_ECRC=y
 # CONFIG_PCIEAER_INJECT is not set
 CONFIG_PCIEASPM=y
 # CONFIG_PCIEASPM_DEBUG is not set
@@ -669,13 +732,13 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_PERFORMANCE is not set
 CONFIG_PCIE_PME=y
-# CONFIG_PCIE_DPC is not set
-# CONFIG_PCIE_PTM is not set
+CONFIG_PCIE_DPC=y
+CONFIG_PCIE_PTM=y
 CONFIG_PCI_BUS_ADDR_T_64BIT=y
 CONFIG_PCI_MSI=y
 CONFIG_PCI_MSI_IRQ_DOMAIN=y
 # CONFIG_PCI_DEBUG is not set
-# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+CONFIG_PCI_REALLOC_ENABLE_AUTO=y
 # CONFIG_PCI_STUB is not set
 CONFIG_HT_IRQ=y
 CONFIG_PCI_ATS=y
@@ -691,11 +754,11 @@ CONFIG_PCI_LABEL=y
 CONFIG_PCIE_DW_PLAT=y
 CONFIG_PCIE_DW=y
 # CONFIG_VMD is not set
-# CONFIG_ISA_BUS is not set
+CONFIG_ISA_BUS=y
 CONFIG_ISA_DMA_API=y
 # CONFIG_PCCARD is not set
 # CONFIG_RAPIDIO is not set
-CONFIG_X86_SYSFB=y
+# CONFIG_X86_SYSFB is not set
 
 #
 # Executable file formats / Emulations
@@ -706,7 +769,7 @@ CONFIG_ELFCORE=y
 CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
 CONFIG_BINFMT_SCRIPT=y
 # CONFIG_HAVE_AOUT is not set
-# CONFIG_BINFMT_MISC is not set
+CONFIG_BINFMT_MISC=y
 CONFIG_COREDUMP=y
 CONFIG_IA32_EMULATION=y
 CONFIG_IA32_AOUT=y
@@ -862,7 +925,6 @@ CONFIG_NETFILTER_XT_SET=y
 #
 # Xtables targets
 #
-CONFIG_NETFILTER_XT_TARGET_AUDIT=y
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
 CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
@@ -1242,10 +1304,11 @@ CONFIG_HAVE_EBPF_JIT=y
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
 CONFIG_STANDALONE=y
-CONFIG_PREVENT_FIRMWARE_BUILD=y
+# CONFIG_PREVENT_FIRMWARE_BUILD is not set
 CONFIG_FW_LOADER=y
 CONFIG_FIRMWARE_IN_KERNEL=y
-CONFIG_EXTRA_FIRMWARE=""
+CONFIG_EXTRA_FIRMWARE="iwlwifi-3160-17.ucode"
+CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware"
 CONFIG_FW_LOADER_USER_HELPER=y
 CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
 CONFIG_WANT_DEV_COREDUMP=y
@@ -1318,9 +1381,7 @@ CONFIG_VIRTIO_BLK=y
 # CONFIG_BLK_DEV_HD is not set
 # CONFIG_BLK_DEV_RBD is not set
 # CONFIG_BLK_DEV_RSXX is not set
-CONFIG_NVME_CORE=y
-CONFIG_BLK_DEV_NVME=y
-# CONFIG_BLK_DEV_NVME_SCSI is not set
+# CONFIG_BLK_DEV_NVME is not set
 # CONFIG_NVME_TARGET is not set
 
 #
@@ -1379,7 +1440,7 @@ CONFIG_INTEL_MEI_TXE=y
 #
 # Intel MIC Bus Driver
 #
-CONFIG_INTEL_MIC_BUS=y
+# CONFIG_INTEL_MIC_BUS is not set
 
 #
 # SCIF Bus Driver
@@ -1537,7 +1598,7 @@ CONFIG_SATA_AHCI_PLATFORM=y
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=y
 CONFIG_MD_AUTODETECT=y
-# CONFIG_MD_LINEAR is not set
+CONFIG_MD_LINEAR=y
 CONFIG_MD_RAID0=y
 CONFIG_MD_RAID1=y
 CONFIG_MD_RAID10=y
@@ -1571,7 +1632,13 @@ CONFIG_DM_UEVENT=y
 # CONFIG_DM_VERITY is not set
 # CONFIG_DM_SWITCH is not set
 # CONFIG_DM_LOG_WRITES is not set
-# CONFIG_TARGET_CORE is not set
+CONFIG_TARGET_CORE=y
+# CONFIG_TCM_IBLOCK is not set
+# CONFIG_TCM_FILEIO is not set
+# CONFIG_TCM_PSCSI is not set
+# CONFIG_TCM_USER2 is not set
+# CONFIG_LOOPBACK_TARGET is not set
+# CONFIG_ISCSI_TARGET is not set
 CONFIG_FUSION=y
 CONFIG_FUSION_SPI=y
 CONFIG_FUSION_FC=y
@@ -1747,11 +1814,10 @@ CONFIG_WLAN_VENDOR_INTEL=y
 # CONFIG_IPW2200 is not set
 # CONFIG_IWL4965 is not set
 # CONFIG_IWL3945 is not set
-CONFIG_IWLWIFI=m
+CONFIG_IWLWIFI=y
 CONFIG_IWLWIFI_LEDS=y
-CONFIG_IWLDVM=m
-CONFIG_IWLMVM=m
-CONFIG_IWLWIFI_OPMODE_MODULAR=y
+CONFIG_IWLDVM=y
+CONFIG_IWLMVM=y
 # CONFIG_IWLWIFI_BCAST_FILTERING is not set
 CONFIG_IWLWIFI_PCIE_RTPM=y
 
@@ -1843,6 +1909,7 @@ CONFIG_MOUSE_PS2_ELANTECH=y
 # CONFIG_MOUSE_PS2_SENTELIC is not set
 # CONFIG_MOUSE_PS2_TOUCHKIT is not set
 CONFIG_MOUSE_PS2_FOCALTECH=y
+# CONFIG_MOUSE_PS2_VMMOUSE is not set
 CONFIG_MOUSE_SERIAL=y
 # CONFIG_MOUSE_APPLETOUCH is not set
 # CONFIG_MOUSE_BCM5974 is not set
@@ -1962,7 +2029,7 @@ CONFIG_I2C_MUX=y
 # Multiplexer I2C Chip support
 #
 # CONFIG_I2C_ARB_GPIO_CHALLENGE is not set
-CONFIG_I2C_MUX_GPIO=y
+# CONFIG_I2C_MUX_GPIO is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
 # CONFIG_I2C_MUX_PCA954x is not set
 # CONFIG_I2C_MUX_PINCTRL is not set
@@ -1986,7 +2053,7 @@ CONFIG_I2C_ALGOBIT=y
 # CONFIG_I2C_AMD8111 is not set
 CONFIG_I2C_I801=y
 # CONFIG_I2C_ISCH is not set
-# CONFIG_I2C_ISMT is not set
+CONFIG_I2C_ISMT=y
 # CONFIG_I2C_PIIX4 is not set
 # CONFIG_I2C_NFORCE2 is not set
 # CONFIG_I2C_SIS5595 is not set
@@ -2007,7 +2074,7 @@ CONFIG_I2C_SCMI=y
 CONFIG_I2C_DESIGNWARE_CORE=y
 CONFIG_I2C_DESIGNWARE_PLATFORM=y
 CONFIG_I2C_DESIGNWARE_PCI=y
-# CONFIG_I2C_DESIGNWARE_BAYTRAIL is not set
+CONFIG_I2C_DESIGNWARE_BAYTRAIL=y
 # CONFIG_I2C_EMEV2 is not set
 # CONFIG_I2C_GPIO is not set
 # CONFIG_I2C_OCORES is not set
@@ -2048,9 +2115,9 @@ CONFIG_SPI_BITBANG=y
 # CONFIG_SPI_CADENCE is not set
 CONFIG_SPI_DESIGNWARE=y
 CONFIG_SPI_DW_PCI=y
-# CONFIG_SPI_DW_MID_DMA is not set
+CONFIG_SPI_DW_MID_DMA=y
 CONFIG_SPI_DW_MMIO=y
-CONFIG_SPI_GPIO=y
+# CONFIG_SPI_GPIO is not set
 # CONFIG_SPI_FSL_SPI is not set
 # CONFIG_SPI_OC_TINY is not set
 # CONFIG_SPI_PXA2XX is not set
@@ -2067,7 +2134,7 @@ CONFIG_SPI_GPIO=y
 # CONFIG_SPI_SPIDEV is not set
 # CONFIG_SPI_LOOPBACK_TEST is not set
 # CONFIG_SPI_TLE62X0 is not set
-# CONFIG_SPMI is not set
+CONFIG_SPMI=y
 # CONFIG_HSI is not set
 
 #
@@ -2108,7 +2175,7 @@ CONFIG_GPIOLIB=y
 CONFIG_OF_GPIO=y
 CONFIG_GPIO_ACPI=y
 # CONFIG_DEBUG_GPIO is not set
-CONFIG_GPIO_SYSFS=y
+# CONFIG_GPIO_SYSFS is not set
 
 #
 # Memory mapped GPIO drivers
@@ -2119,7 +2186,7 @@ CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_DWAPB is not set
 # CONFIG_GPIO_GENERIC_PLATFORM is not set
 # CONFIG_GPIO_GRGPIO is not set
-CONFIG_GPIO_ICH=y
+# CONFIG_GPIO_ICH is not set
 # CONFIG_GPIO_LYNXPOINT is not set
 # CONFIG_GPIO_MOCKUP is not set
 # CONFIG_GPIO_VX855 is not set
@@ -2129,10 +2196,15 @@ CONFIG_GPIO_ICH=y
 #
 # Port-mapped I/O GPIO drivers
 #
+# CONFIG_GPIO_104_DIO_48E is not set
+# CONFIG_GPIO_104_IDIO_16 is not set
+# CONFIG_GPIO_104_IDI_48 is not set
 # CONFIG_GPIO_F7188X is not set
+# CONFIG_GPIO_GPIO_MM is not set
 # CONFIG_GPIO_IT87 is not set
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SCH311X is not set
+# CONFIG_GPIO_WS16C48 is not set
 
 #
 # I2C GPIO expanders
@@ -2176,7 +2248,34 @@ CONFIG_GPIO_ICH=y
 #
 # USB GPIO expanders
 #
-# CONFIG_W1 is not set
+CONFIG_W1=y
+CONFIG_W1_CON=y
+
+#
+# 1-wire Bus Masters
+#
+# CONFIG_W1_MASTER_MATROX is not set
+# CONFIG_W1_MASTER_DS2490 is not set
+# CONFIG_W1_MASTER_DS2482 is not set
+# CONFIG_W1_MASTER_DS1WM is not set
+# CONFIG_W1_MASTER_GPIO is not set
+
+#
+# 1-wire Slaves
+#
+CONFIG_W1_SLAVE_THERM=y
+# CONFIG_W1_SLAVE_SMEM is not set
+# CONFIG_W1_SLAVE_DS2408 is not set
+# CONFIG_W1_SLAVE_DS2413 is not set
+# CONFIG_W1_SLAVE_DS2406 is not set
+# CONFIG_W1_SLAVE_DS2423 is not set
+# CONFIG_W1_SLAVE_DS2431 is not set
+# CONFIG_W1_SLAVE_DS2433 is not set
+# CONFIG_W1_SLAVE_DS2760 is not set
+# CONFIG_W1_SLAVE_DS2780 is not set
+# CONFIG_W1_SLAVE_DS2781 is not set
+# CONFIG_W1_SLAVE_DS28E04 is not set
+# CONFIG_W1_SLAVE_BQ27000 is not set
 # CONFIG_POWER_AVS is not set
 # CONFIG_POWER_RESET is not set
 CONFIG_POWER_SUPPLY=y
@@ -2190,7 +2289,6 @@ CONFIG_POWER_SUPPLY=y
 # CONFIG_BATTERY_BQ27XXX is not set
 # CONFIG_BATTERY_MAX17040 is not set
 # CONFIG_BATTERY_MAX17042 is not set
-# CONFIG_CHARGER_ISP1704 is not set
 # CONFIG_CHARGER_MAX8903 is not set
 # CONFIG_CHARGER_LP8727 is not set
 # CONFIG_CHARGER_GPIO is not set
@@ -2361,12 +2459,14 @@ CONFIG_THERMAL_GOV_STEP_WISE=y
 # CONFIG_THERMAL_GOV_BANG_BANG is not set
 CONFIG_THERMAL_GOV_USER_SPACE=y
 CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y
+# CONFIG_CPU_THERMAL is not set
+# CONFIG_CLOCK_THERMAL is not set
+# CONFIG_DEVFREQ_THERMAL is not set
 # CONFIG_THERMAL_EMULATION is not set
 # CONFIG_QORIQ_THERMAL is not set
 # CONFIG_INTEL_POWERCLAMP is not set
 CONFIG_X86_PKG_TEMP_THERMAL=y
-CONFIG_INTEL_SOC_DTS_IOSF_CORE=y
-CONFIG_INTEL_SOC_DTS_THERMAL=y
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
 
 #
 # ACPI INT340X thermal drivers
@@ -2375,7 +2475,7 @@ CONFIG_INTEL_SOC_DTS_THERMAL=y
 CONFIG_INTEL_PCH_THERMAL=y
 CONFIG_WATCHDOG=y
 CONFIG_WATCHDOG_CORE=y
-CONFIG_WATCHDOG_NOWAYOUT=y
+# CONFIG_WATCHDOG_NOWAYOUT is not set
 CONFIG_WATCHDOG_SYSFS=y
 
 #
@@ -2393,6 +2493,7 @@ CONFIG_WATCHDOG_SYSFS=y
 # CONFIG_ADVANTECH_WDT is not set
 # CONFIG_ALIM1535_WDT is not set
 # CONFIG_ALIM7101_WDT is not set
+# CONFIG_EBC_C384_WDT is not set
 # CONFIG_F71808E_WDT is not set
 # CONFIG_SP5100_TCO is not set
 # CONFIG_SBC_FITPC2_WATCHDOG is not set
@@ -2444,18 +2545,7 @@ CONFIG_SSB_POSSIBLE=y
 #
 # Sonics Silicon Backplane
 #
-CONFIG_SSB=y
-CONFIG_SSB_SPROM=y
-CONFIG_SSB_PCIHOST_POSSIBLE=y
-CONFIG_SSB_PCIHOST=y
-# CONFIG_SSB_B43_PCI_BRIDGE is not set
-CONFIG_SSB_SDIOHOST_POSSIBLE=y
-# CONFIG_SSB_SDIOHOST is not set
-# CONFIG_SSB_SILENT is not set
-# CONFIG_SSB_DEBUG is not set
-CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y
-CONFIG_SSB_DRIVER_PCICORE=y
-# CONFIG_SSB_DRIVER_GPIO is not set
+# CONFIG_SSB is not set
 CONFIG_BCMA_POSSIBLE=y
 
 #
@@ -2751,7 +2841,7 @@ CONFIG_AGP_INTEL=y
 # CONFIG_AGP_VIA is not set
 CONFIG_INTEL_GTT=y
 CONFIG_VGA_ARB=y
-CONFIG_VGA_ARB_MAX_GPUS=1
+CONFIG_VGA_ARB_MAX_GPUS=2
 # CONFIG_VGA_SWITCHEROO is not set
 CONFIG_DRM=y
 CONFIG_DRM_MIPI_DSI=y
@@ -3047,13 +3137,13 @@ CONFIG_SND_HDA_RECONFIG=y
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INPUT_BEEP_MODE=1
 # CONFIG_SND_HDA_PATCH_LOADER is not set
-CONFIG_SND_HDA_CODEC_REALTEK=y
-# CONFIG_SND_HDA_CODEC_ANALOG is not set
+# CONFIG_SND_HDA_CODEC_REALTEK is not set
+CONFIG_SND_HDA_CODEC_ANALOG=y
 # CONFIG_SND_HDA_CODEC_SIGMATEL is not set
 # CONFIG_SND_HDA_CODEC_VIA is not set
 CONFIG_SND_HDA_CODEC_HDMI=y
 # CONFIG_SND_HDA_CODEC_CIRRUS is not set
-# CONFIG_SND_HDA_CODEC_CONEXANT is not set
+CONFIG_SND_HDA_CODEC_CONEXANT=y
 # CONFIG_SND_HDA_CODEC_CA0110 is not set
 # CONFIG_SND_HDA_CODEC_CA0132 is not set
 # CONFIG_SND_HDA_CODEC_CMEDIA is not set
@@ -3177,10 +3267,9 @@ CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
 #
 CONFIG_USB_DEFAULT_PERSIST=y
 # CONFIG_USB_DYNAMIC_MINORS is not set
-CONFIG_USB_OTG=y
+# CONFIG_USB_OTG is not set
 # CONFIG_USB_OTG_WHITELIST is not set
 # CONFIG_USB_OTG_BLACKLIST_HUB is not set
-CONFIG_USB_OTG_FSM=y
 # CONFIG_USB_LEDS_TRIGGER_USBPORT is not set
 CONFIG_USB_MON=y
 # CONFIG_USB_WUSB_CBAF is not set
@@ -3204,12 +3293,10 @@ CONFIG_USB_EHCI_HCD_PLATFORM=y
 # CONFIG_USB_MAX3421_HCD is not set
 CONFIG_USB_OHCI_HCD=y
 CONFIG_USB_OHCI_HCD_PCI=y
-# CONFIG_USB_OHCI_HCD_SSB is not set
-# CONFIG_USB_OHCI_HCD_PLATFORM is not set
+CONFIG_USB_OHCI_HCD_PLATFORM=y
 CONFIG_USB_UHCI_HCD=y
 # CONFIG_USB_SL811_HCD is not set
 # CONFIG_USB_R8A66597_HCD is not set
-# CONFIG_USB_HCD_SSB is not set
 # CONFIG_USB_HCD_TEST_MODE is not set
 
 #
@@ -3251,23 +3338,8 @@ CONFIG_USB_UAS=y
 # CONFIG_USB_MICROTEK is not set
 # CONFIG_USBIP_CORE is not set
 # CONFIG_USB_MUSB_HDRC is not set
-CONFIG_USB_DWC3=y
-CONFIG_USB_DWC3_HOST=y
-
-#
-# Platform Glue Driver Support
-#
-CONFIG_USB_DWC3_PCI=y
-CONFIG_USB_DWC3_OF_SIMPLE=y
-CONFIG_USB_DWC2=y
-CONFIG_USB_DWC2_HOST=y
-
-#
-# Gadget/Dual-role mode requires USB Gadget support to be enabled
-#
-# CONFIG_USB_DWC2_PCI is not set
-# CONFIG_USB_DWC2_DEBUG is not set
-# CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set
+# CONFIG_USB_DWC3 is not set
+# CONFIG_USB_DWC2 is not set
 # CONFIG_USB_CHIPIDEA is not set
 # CONFIG_USB_ISP1760 is not set
 
@@ -3359,13 +3431,13 @@ CONFIG_USB_SERIAL_FTDI_SIO=y
 #
 # USB Physical Layer drivers
 #
-CONFIG_USB_PHY=y
+# CONFIG_USB_PHY is not set
 # CONFIG_NOP_USB_XCEIV is not set
 # CONFIG_USB_GPIO_VBUS is not set
 # CONFIG_USB_ISP1301 is not set
 # CONFIG_USB_GADGET is not set
-# CONFIG_USB_LED_TRIG is not set
-# CONFIG_USB_ULPI_BUS is not set
+CONFIG_USB_LED_TRIG=y
+CONFIG_USB_ULPI_BUS=y
 # CONFIG_UWB is not set
 CONFIG_MMC=y
 # CONFIG_MMC_DEBUG is not set
@@ -3398,7 +3470,7 @@ CONFIG_MMC_SPI=y
 # CONFIG_MMC_CB710 is not set
 # CONFIG_MMC_VIA_SDMMC is not set
 # CONFIG_MMC_VUB300 is not set
-# CONFIG_MMC_USHC is not set
+CONFIG_MMC_USHC=y
 # CONFIG_MMC_USDHI6ROL0 is not set
 # CONFIG_MMC_TOSHIBA_PCI is not set
 # CONFIG_MMC_MTK is not set
@@ -3465,7 +3537,24 @@ CONFIG_LEDS_TRIGGERS=y
 # CONFIG_INFINIBAND is not set
 CONFIG_EDAC_ATOMIC_SCRUB=y
 CONFIG_EDAC_SUPPORT=y
-# CONFIG_EDAC is not set
+CONFIG_EDAC=y
+# CONFIG_EDAC_LEGACY_SYSFS is not set
+# CONFIG_EDAC_DEBUG is not set
+CONFIG_EDAC_MM_EDAC=y
+CONFIG_EDAC_GHES=y
+# CONFIG_EDAC_E752X is not set
+# CONFIG_EDAC_I82975X is not set
+# CONFIG_EDAC_I3000 is not set
+# CONFIG_EDAC_I3200 is not set
+# CONFIG_EDAC_IE31200 is not set
+# CONFIG_EDAC_X38 is not set
+# CONFIG_EDAC_I5400 is not set
+# CONFIG_EDAC_I7CORE is not set
+# CONFIG_EDAC_I5000 is not set
+# CONFIG_EDAC_I5100 is not set
+# CONFIG_EDAC_I7300 is not set
+CONFIG_EDAC_SBRIDGE=y
+# CONFIG_EDAC_SKX is not set
 CONFIG_RTC_LIB=y
 CONFIG_RTC_MC146818_LIB=y
 CONFIG_RTC_CLASS=y
@@ -3581,11 +3670,10 @@ CONFIG_DMA_OF=y
 # CONFIG_FSL_EDMA is not set
 CONFIG_INTEL_IDMA64=y
 CONFIG_INTEL_IOATDMA=y
-CONFIG_INTEL_MIC_X100_DMA=y
 # CONFIG_QCOM_HIDMA_MGMT is not set
 # CONFIG_QCOM_HIDMA is not set
 CONFIG_DW_DMAC_CORE=y
-# CONFIG_DW_DMAC is not set
+CONFIG_DW_DMAC=y
 CONFIG_DW_DMAC_PCI=y
 CONFIG_HSU_DMA=y
 
@@ -3601,7 +3689,8 @@ CONFIG_DMA_ENGINE_RAID=y
 #
 # CONFIG_SYNC_FILE is not set
 CONFIG_DCA=y
-# CONFIG_AUXDISPLAY is not set
+CONFIG_AUXDISPLAY=y
+# CONFIG_IMG_ASCII_LCD is not set
 CONFIG_UIO=y
 # CONFIG_UIO_CIF is not set
 # CONFIG_UIO_PDRV_GENIRQ is not set
@@ -3621,7 +3710,7 @@ CONFIG_VIRTIO=y
 # Virtio drivers
 #
 CONFIG_VIRTIO_PCI=y
-CONFIG_VIRTIO_PCI_LEGACY=y
+# CONFIG_VIRTIO_PCI_LEGACY is not set
 CONFIG_VIRTIO_BALLOON=y
 CONFIG_VIRTIO_INPUT=y
 CONFIG_VIRTIO_MMIO=y
@@ -3630,6 +3719,7 @@ CONFIG_VIRTIO_MMIO=y
 #
 # Microsoft Hyper-V guest support
 #
+# CONFIG_HYPERV is not set
 # CONFIG_STAGING is not set
 CONFIG_X86_PLATFORM_DEVICES=y
 # CONFIG_ACER_WMI is not set
@@ -3726,7 +3816,7 @@ CONFIG_INTEL_IOMMU=y
 CONFIG_INTEL_IOMMU_SVM=y
 CONFIG_INTEL_IOMMU_DEFAULT_ON=y
 CONFIG_INTEL_IOMMU_FLOPPY_WA=y
-# CONFIG_IRQ_REMAP is not set
+CONFIG_IRQ_REMAP=y
 
 #
 # Remoteproc drivers
@@ -3746,7 +3836,21 @@ CONFIG_INTEL_IOMMU_FLOPPY_WA=y
 #
 # CONFIG_SUNXI_SRAM is not set
 # CONFIG_SOC_TI is not set
-# CONFIG_PM_DEVFREQ is not set
+CONFIG_PM_DEVFREQ=y
+
+#
+# DEVFREQ Governors
+#
+# CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND is not set
+# CONFIG_DEVFREQ_GOV_PERFORMANCE is not set
+# CONFIG_DEVFREQ_GOV_POWERSAVE is not set
+# CONFIG_DEVFREQ_GOV_USERSPACE is not set
+# CONFIG_DEVFREQ_GOV_PASSIVE is not set
+
+#
+# DEVFREQ Drivers
+#
+# CONFIG_PM_DEVFREQ_EVENT is not set
 # CONFIG_EXTCON is not set
 # CONFIG_MEMORY is not set
 # CONFIG_IIO is not set
@@ -3766,8 +3870,9 @@ CONFIG_GENERIC_PHY=y
 # CONFIG_PHY_PXA_28NM_HSIC is not set
 # CONFIG_PHY_PXA_28NM_USB2 is not set
 # CONFIG_BCM_KONA_USB2_PHY is not set
-# CONFIG_PHY_SAMSUNG_USB2 is not set
-# CONFIG_POWERCAP is not set
+# CONFIG_PHY_TUSB1210 is not set
+CONFIG_POWERCAP=y
+CONFIG_INTEL_RAPL=y
 # CONFIG_MCB is not set
 
 #
@@ -3781,6 +3886,7 @@ CONFIG_RAS=y
 #
 # CONFIG_ANDROID is not set
 # CONFIG_LIBNVDIMM is not set
+# CONFIG_DEV_DAX is not set
 # CONFIG_NVMEM is not set
 # CONFIG_STM is not set
 # CONFIG_INTEL_TH is not set
@@ -3846,7 +3952,7 @@ CONFIG_BTRFS_FS_POSIX_ACL=y
 # CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
 # CONFIG_BTRFS_DEBUG is not set
 # CONFIG_BTRFS_ASSERT is not set
-CONFIG_NILFS2_FS=y
+# CONFIG_NILFS2_FS is not set
 CONFIG_F2FS_FS=y
 CONFIG_F2FS_FS_XATTR=y
 CONFIG_F2FS_FS_POSIX_ACL=y
@@ -3866,8 +3972,14 @@ CONFIG_DNOTIFY=y
 CONFIG_INOTIFY_USER=y
 CONFIG_FANOTIFY=y
 # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
-# CONFIG_QUOTA is not set
-# CONFIG_QUOTACTL is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_QUOTACTL_COMPAT=y
 # CONFIG_AUTOFS4_FS is not set
 CONFIG_FUSE_FS=y
 # CONFIG_CUSE is not set
@@ -4122,6 +4234,7 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21
 # CONFIG_RCU_EQS_DEBUG is not set
 # CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
 # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set
 # CONFIG_FAULT_INJECTION is not set
 CONFIG_USER_STACKTRACE_SUPPORT=y
 CONFIG_HAVE_FUNCTION_TRACER=y
@@ -4195,7 +4308,7 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0
 # CONFIG_OPTIMIZE_INLINING is not set
 # CONFIG_DEBUG_ENTRY is not set
 # CONFIG_DEBUG_NMI_SELFTEST is not set
-CONFIG_X86_DEBUG_FPU=y
+# CONFIG_X86_DEBUG_FPU is not set
 
 #
 # Security options
@@ -4207,29 +4320,11 @@ CONFIG_X86_DEBUG_FPU=y
 CONFIG_PAX_PER_CPU_PGD=y
 CONFIG_TASK_SIZE_MAX_SHIFT=42
 CONFIG_GRKERNSEC=y
-CONFIG_GRKERNSEC_CONFIG_AUTO=y
-# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
-# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
-CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
-# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
-# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
-CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
-CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
-# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
-# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
-# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
-CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
-# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
-# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set
-# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set
-CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
-
-#
-# Default Special Groups
-#
-CONFIG_GRKERNSEC_PROC_GID=1001
-CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005
-CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006
+# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
+CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
+CONFIG_GRKERNSEC_PROC_GID=4
+CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100
+CONFIG_GRKERNSEC_SYMLINKOWN_GID=15
 
 #
 # Customize Configuration
@@ -4244,7 +4339,7 @@ CONFIG_PAX=y
 # PaX Control
 #
 # CONFIG_PAX_SOFTMODE is not set
-CONFIG_PAX_EI_PAX=y
+# CONFIG_PAX_EI_PAX is not set
 CONFIG_PAX_PT_PAX_FLAGS=y
 CONFIG_PAX_XATTR_PAX_FLAGS=y
 # CONFIG_PAX_NO_ACL_FLAGS is not set
@@ -4264,7 +4359,6 @@ CONFIG_PAX_KERNEXEC=y
 CONFIG_PAX_KERNEXEC_PLUGIN=y
 # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
 CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
-# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set
 
 #
 # Address Space Layout Randomization
@@ -4306,14 +4400,14 @@ CONFIG_GRKERNSEC_BRUTE=y
 CONFIG_GRKERNSEC_MODHARDEN=y
 CONFIG_GRKERNSEC_HIDESYM=y
 CONFIG_GRKERNSEC_RANDSTRUCT=y
-# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set
+CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GRKERNSEC_KERN_LOCKOUT=y
 
 #
 # Role Based Access Control Options
 #
 # CONFIG_GRKERNSEC_NO_RBAC is not set
-# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
+CONFIG_GRKERNSEC_ACL_HIDEKERN=y
 CONFIG_GRKERNSEC_ACL_MAXTRIES=3
 CONFIG_GRKERNSEC_ACL_TIMEOUT=30
 
@@ -4327,7 +4421,7 @@ CONFIG_GRKERNSEC_PROC_ADD=y
 CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_SYMLINKOWN=y
 CONFIG_GRKERNSEC_FIFO=y
-CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
+# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
 CONFIG_GRKERNSEC_ROFS=y
 CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
 CONFIG_GRKERNSEC_CHROOT=y
@@ -4351,7 +4445,7 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y
 # Kernel Auditing
 #
 CONFIG_GRKERNSEC_AUDIT_GROUP=y
-CONFIG_GRKERNSEC_AUDIT_GID=1007
+CONFIG_GRKERNSEC_AUDIT_GID=99
 CONFIG_GRKERNSEC_EXECLOG=y
 CONFIG_GRKERNSEC_RESLOG=y
 CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
@@ -4376,7 +4470,7 @@ CONFIG_GRKERNSEC_HARDEN_TTY=y
 CONFIG_GRKERNSEC_TPE=y
 CONFIG_GRKERNSEC_TPE_ALL=y
 CONFIG_GRKERNSEC_TPE_INVERT=y
-CONFIG_GRKERNSEC_TPE_GID=1005
+CONFIG_GRKERNSEC_TPE_GID=100
 
 #
 # Network Protections
@@ -4385,24 +4479,24 @@ CONFIG_GRKERNSEC_BLACKHOLE=y
 CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
 CONFIG_GRKERNSEC_SOCKET=y
 CONFIG_GRKERNSEC_SOCKET_ALL=y
-CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=200
 CONFIG_GRKERNSEC_SOCKET_CLIENT=y
-CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15
 CONFIG_GRKERNSEC_SOCKET_SERVER=y
-CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99
 
 #
 # Physical Protections
 #
 CONFIG_GRKERNSEC_DENYUSB=y
-CONFIG_GRKERNSEC_DENYUSB_FORCE=y
+# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
 
 #
 # Sysctl Support
 #
 CONFIG_GRKERNSEC_SYSCTL=y
 CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
-CONFIG_GRKERNSEC_SYSCTL_ON=y
+# CONFIG_GRKERNSEC_SYSCTL_ON is not set
 
 #
 # Logging Options
@@ -4423,14 +4517,12 @@ CONFIG_SECURITY_PATH=y
 # CONFIG_INTEL_TXT is not set
 CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
 CONFIG_HARDENED_USERCOPY=y
-# CONFIG_SECURITY_SELINUX is not set
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
-CONFIG_INTEGRITY_AUDIT=y
 # CONFIG_IMA is not set
 # CONFIG_EVM is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
@@ -4510,7 +4602,7 @@ CONFIG_CRYPTO_HMAC=y
 # Digest
 #
 CONFIG_CRYPTO_CRC32C=y
-# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_CRC32C_INTEL=y
 CONFIG_CRYPTO_CRC32=y
 # CONFIG_CRYPTO_CRC32_PCLMUL is not set
 CONFIG_CRYPTO_CRCT10DIF=y
@@ -4580,7 +4672,7 @@ CONFIG_CRYPTO_DES=y
 # Compression
 #
 CONFIG_CRYPTO_DEFLATE=y
-# CONFIG_CRYPTO_LZO is not set
+CONFIG_CRYPTO_LZO=y
 # CONFIG_CRYPTO_842 is not set
 # CONFIG_CRYPTO_LZ4 is not set
 # CONFIG_CRYPTO_LZ4HC is not set
@@ -4635,6 +4727,7 @@ CONFIG_KVM_INTEL=y
 # CONFIG_KVM_AMD is not set
 # CONFIG_KVM_DEVICE_ASSIGNMENT is not set
 CONFIG_VHOST_NET=y
+CONFIG_VHOST_SCSI=m
 CONFIG_VHOST_VSOCK=y
 CONFIG_VHOST=y
 CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y
@@ -4678,11 +4771,11 @@ CONFIG_LZO_DECOMPRESS=y
 CONFIG_LZ4_DECOMPRESS=y
 CONFIG_XZ_DEC=y
 CONFIG_XZ_DEC_X86=y
-CONFIG_XZ_DEC_POWERPC=y
-CONFIG_XZ_DEC_IA64=y
-CONFIG_XZ_DEC_ARM=y
-CONFIG_XZ_DEC_ARMTHUMB=y
-CONFIG_XZ_DEC_SPARC=y
+# CONFIG_XZ_DEC_POWERPC is not set
+# CONFIG_XZ_DEC_IA64 is not set
+# CONFIG_XZ_DEC_ARM is not set
+# CONFIG_XZ_DEC_ARMTHUMB is not set
+# CONFIG_XZ_DEC_SPARC is not set
 CONFIG_XZ_DEC_BCJ=y
 # CONFIG_XZ_DEC_TEST is not set
 CONFIG_DECOMPRESS_GZIP=y
@@ -4697,6 +4790,7 @@ CONFIG_TEXTSEARCH_KMP=y
 CONFIG_TEXTSEARCH_BM=y
 CONFIG_TEXTSEARCH_FSM=y
 CONFIG_INTERVAL_TREE=y
+CONFIG_RADIX_TREE_MULTIORDER=y
 CONFIG_ASSOCIATIVE_ARRAY=y
 CONFIG_HAS_IOMEM=y
 CONFIG_HAS_IOPORT_MAP=y
diff --git a/core/ports/linux-libre/port-libre-grsecurity.patch b/core/ports/linux-libre/port-libre-grsecurity.patch
index cecd956..981257a 100644
--- a/core/ports/linux-libre/port-libre-grsecurity.patch
+++ b/core/ports/linux-libre/port-libre-grsecurity.patch
@@ -1,5 +1,5 @@
---- grsecurity-3.1-4.9.11-201702181444.patch 	2017-02-18 05:14:08.682388834 +0000
-+++ grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 05:15:45.579051680 +0000
+--- grsecurity-3.1-4.9.12-201702231830.patch 	2017-02-18 05:14:08.682388834 +0000
++++ grsecurity-3.1-4.9.12-201702231830.patch	2017-02-18 05:15:45.579051680 +0000
 @@ -90805,59 +90805,6 @@
   	if (!file->private_data)
   		return -ENOMEM;
diff --git a/core/ports/linux-libre/port-libre-make.patch b/core/ports/linux-libre/port-libre-make.patch
index dfbd8af..51bf8b6 100644
--- a/core/ports/linux-libre/port-libre-make.patch
+++ b/core/ports/linux-libre/port-libre-make.patch
@@ -3,7 +3,7 @@
 @@ -1,7 +1,7 @@
  VERSION = 4
  PATCHLEVEL = 9
- SUBLEVEL = 11
+ SUBLEVEL = 12
 -EXTRAVERSION = -gnu
 +EXTRAVERSION = -grsec
  NAME = Roaring Lionus
diff --git a/core/reboot.html b/core/reboot.html
index 23e2996..fd1adfc 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -31,7 +31,7 @@
           /bin/bash --login
    -

    1.4.1. Linux Kernel

    +

    1.4.1. Port kernel

    Core ports have two linux kernels, @@ -43,11 +43,10 @@ correct graphic driver and disk. Port linux-blob is dangerous, contain blobs (from bad corporations).

    -

    Addition to upstream kernel is applied a patch with - more cpu families gcc optimizations and grsecurity patch. - Check tpe protection configuration on - sysctl if breaks functionality - during initial configuration.

    +

    Both ports apply grsecurity patch and are configured in + a way that break building some packages and have performance + impact in building process. Solution is to have several kernels, + production, testing, debug with one of them without grsecurity.

             # cd /usr/ports/c9-ports/linux-libre
diff --git a/core/samhain.html b/core/samhain.html
new file mode 100644
index 0000000..74f88fd
--- /dev/null
+++ b/core/samhain.html
@@ -0,0 +1,265 @@
+
+
+    
+        
+        2.2.4. Samhain
+    
+    
+
+        Core OS Index
+
+        
    2.2.4. Samhain
    
+
+        
    Read 
+        Samhain Manual,
+        samhain is a file and host integrity and intrusion alert system 
+        suitable for single hosts as well as for large, UNIX-based networks. 
+        samhain offers advanced features to support and facilitate 
+        centralized monitoring.
    
+
+        
    The client (or standalone) part is called samhain, while the 
+        server is referred to as yule. Both can run as daemon processes.
    
+
+        
    Most of the options require being defined at compile time, is
+        easy to start with basic and then compile as more features are
+        required.
    
+
+        
    +        $ sudo prt-get depinst samhain
+        
    
+
+        
    
+            
    /var/lib/samhain/samhain_file
    
+            
    signature database
    
+            
    /etc/samhainrc
    
+            
    configuration file
    
+            
    /var/log/samhain.log
    
+            
    log file
    
+        
    
+
+        
    2.2.4.1. Configure
    
+
+        
    For more information on configuration check 
+        Monitoring Policies.
+        Description of section headings;
    
+
+        
    
+            
    ReadOnly
    
+
+            
    All modifications except access times will be 
+            reported for these files.
    
+            
    Checked: owner, group, permissions, file type, device number,
+            hardlinks, links, inode, checksum, size, mtime, ctime.
    
+
+            
    LogFiles
    
+
+            
    Modifications of timestamps, file size, and signature will be
+            ignored.
    
+            
    Checked: owner, group, permissions, file type, device number,
+            hardlinks, links, inode.
    
+
+            
    GrowingLogFiles
    
+
+            
    Modifications of timestamps, and signature will be ignored.
+            Modification of the file size will only be ignored if the file size
+            has increased.
    
+            
    Checked: owner, group, permissions, file type, device number,
+            hardlinks, links, inode, size >= previous_size, checksum(file start
+            up to previous size) equals previous checksum.
    
+
+            
    Attributes
    
+
+            
    Only modifications of ownership, access permissions, and device
+            number will be checked.
    
+            
    Checked: owner, group, permissions, file type, device number.
    
+
+            
    IgnoreAll
    
+
+            
    No modifications will be reported. However, the existence of the
+            specified file or directory will still be checked.
    
+
+            
    IgnoreNone
    
+
+            
    All modifications, including access time, but excluding ctime, will
+            be reported - checking atime and ctime would require to play with
+            the system clock.
    
+            
    Checked: owner, group, permissions, file type, device number,
+            hardlinks, links, inode, checksum, size, mtime, atime.
    
+
+        
    
+
+        
    +        $ vim /etc/samhainrc
+        
    
+
+        
    This is just a resume, there is a complete template
+        on crux ports?.
    
+
+        
    +        [Misc]
+
+        [ReadOnly]
+        dir = 0/
+
+        [Attributes]
+        file = /tmp
+        file = /dev
+        file = /media
+        file = /proc
+        file = /sys
+
+        [ReadOnly]
+        dir = 99/etc
+
+        [Attributes]
+        file = /etc/mtab
+        file = /etc/adjtime
+        file = /etc/motd
+        file = /etc/fstab
+
+        file = /etc
+
+        [ReadOnly]
+        dir = 99/boot
+
+        [ReadOnly]
+        dir = 99/bin
+        dir = 99/sbin
+
+        [ReadOnly]
+        dir = 99/lib
+
+        [Attributes]
+        dir = 99/dev
+
+        [IgnoreAll]
+        dir = -1/dev/pts
+
+        [ReadOnly]
+        dir = 99/usr
+
+        [IgnoreAll]
+        dir = -1/usr/ports/core
+        dir = -1/usr/ports/opt
+        dir = -1/usr/ports/contrib
+        dir = -1/usr/ports/work
+        dir = -1/usr/ports/distfiles
+
+        [ReadOnly]
+        dir = 99/var
+
+        [IgnoreAll]
+        dir = -1/var/cache
+        dir = -1/var/lock
+        dir = -1/var/mail
+        dir = -1/var/run
+        dir = -1/var/spool
+        dir = -1/var/tmp
+
+        [Attributes]
+
+        file = /var/lib/mlocate
+        file = /var/lib/mlocate/mlocate.db
+        file = /var/lib/urandom
+        file = /var/lib/urandom/seed
+
+        [GrowingLogFiles]
+        dir = 99/var/log
+
+        file = /var/log/samhain.log.lock
+
+        [Attributes]
+        file = /var/log/old/*.[0-9].gz
+
+        [Misc]
+        IgnoreAdded = /var/log/.*\.[0-9]+$
+        IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
+        IgnoreAdded = /var/log/.*\.[0-9]+\.log$
+        IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
+        IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
+        IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
+        IgnoreAdded = /var/lib/slocate/slocate.db.tmp
+        IgnoreMissing = /var/lib/slocate/slocate.db.tmp
+
+        [IgnoreNone]
+
+        [Prelink]
+
+        [User0]
+
+        [User1]
+
+        [EventSeverity]
+
+        [Log]
+        MailSeverity=notice
+        PrintSeverity=none
+
+        [Misc]
+        Daemon = yes
+        ChecksumTest=check
+        SetNiceLevel = 19
+        SetIOLimit = 500
+        SetLoopTime = 600
+        SetFileCheckTime = 7200
+        ReportOnlyOnce = True
+        SetMailTime = 86400
+        SetMailNum = 10
+        SetMailAddress=root@localhost
+        SyslogFacility=LOG_LOCAL2
+
+        
    
+
+        
    Initialize database;
    
+
+        
    +        # samhain -t init -p notice
+        
    
+
+        
    If you want to "restart" remove samhain_file and run again 
+        the command above. If daemon is set on config file you just 
+        need to run;
    
+
+        
    +        # samhain -t check -p notice
+        
    
+
+        
    To control daemon;
    
+
+        
    +        # samhain stop
+        # samhain start
+        # samhain restart
+        # samhain reload or force-reload
+        # samhain status
+        
    
+
+        
    2.2.4.2. Update database
    
+
+        
    Manual,
+        You can update the database while the daemon is running, as long
+        as you don't interfere with its logging. Using flag -l like this
+        samhain -t update -l none make sure the log file is not accessed.
    
+
+        
    +        # samhain -t update -l none --interactive
+        
    
+
+        
    Interactive update are supported with the command line flag
+        --interactive. A file with a list of good files, absolute path, 
+        one per line, can be passed with flag --listfile. Example;
    
+
+        
    +        # samhain -t update -l none --listfile=/root/list_of_files
+        
    
+
+        Core OS Index
+        
    
+        This is part of the c9-doc Manual.
+        Copyright (C) 2017
+        c9 team.
+        See the file Gnu Free Documentation License
+        for copying conditions.
    
+
+    
+
diff --git a/core/sysctl.html b/core/sysctl.html
index 4e13209..d85aca4 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -2,13 +2,13 @@
 
     
         
-        2.2.3. Sysctl
+        2.2.2. Sysctl
     
     
 
         Core OS Index
 
-        
    2.2.3. Sysctl
    
+        
    2.2.2. Sysctl
    
 
         
    Sysctl references
         Arch TCP/IP stack hardening,
@@ -51,7 +51,7 @@
         #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
         #  you may not be able to boot into a graphical environment with this
         #  option enabled.  In this case, you should use the RBAC system instead.
-        kernel.grsecurity.disable_priv_io = 0
+        kernel.grsecurity.disable_priv_io = 1
 
         #  If you say Y here, attempts to bruteforce exploits against forking
         #  daemons such as apache or sshd, as well as against suid/sgid binaries
@@ -85,7 +85,7 @@
         #  symlink is the owner of the directory. users will also not be
         #  able to hardlink to files they do not own.  If the sysctl option is
         #  enabled, a sysctl option with name "linking_restrictions" is created.
-        kernel.grsecurity.linking_restrictions = 0
+        kernel.grsecurity.linking_restrictions = 1
 
 
         #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
@@ -99,15 +99,15 @@
         #  will be in place for the group you specify. If the sysctl option
         #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
         #  created.
-        kernel.grsecurity.enforce_symlinksifowner = 0
-        #kernel.grsecurity.symlinkown_gid = 33
+        kernel.grsecurity.enforce_symlinksifowner = 1
+        kernel.grsecurity.symlinkown_gid = 15
 
         #  if you say Y here, users will not be able to write to FIFOs they don't
         #  own in world-writable +t directories (e.g. /tmp), unless the owner of
         #  the FIFO is the same owner of the directory it's held in.  If the sysctl
         #  option is enabled, a sysctl option with name "fifo_restrictions" is
         #  created.
-        kernel.grsecurity.fifo_restrictions = 0
+        kernel.grsecurity.fifo_restrictions = 1
 
         #  If you say Y here, a sysctl option with name "romount_protect" will
         #  be created.  By setting this option to 1 at runtime, filesystems
@@ -123,7 +123,7 @@
         #  and GRKERNSEC_IO should be enabled and module loading disabled via
         #  config or at runtime.
         #  This feature is mainly intended for secure embedded systems.
-        #kernel.grsecurity.romount_protect = 0
+        #kernel.grsecurity.romount_protect = 1
 
         #  if you say Y here, the capabilities on all processes within a
         #  chroot jail will be lowered to stop module insertion, raw i/o,
@@ -239,14 +239,14 @@
         #  watch certain users instead of having a large amount of logs from the
         #  entire system.  If the sysctl option is enabled, a sysctl option with
         #  name "audit_group" is created.
-        kernel.grsecurity.audit_group = 0
+        kernel.grsecurity.audit_group = 1
 
         #  If you say Y here, the exec and chdir logging features will only operate
         #  on a group you specify.  This option is recommended if you only want to
         #  watch certain users instead of having a large amount of logs from the
         #  entire system.  If the sysctl option is enabled, a sysctl option with
         #  name "audit_group" is created.
-        #kernel.grsecurity.audit_gid = 201
+        kernel.grsecurity.audit_gid = 99
 
         #  If you say Y here, all execve() calls will be logged (since the
         #  other exec*() calls are frontends to execve(), all execution
@@ -274,7 +274,7 @@
         #  If you say Y here, all attempts to attach to a process via ptrace
         #  will be logged.  If the sysctl option is enabled, a sysctl option
         #  with name "audit_ptrace" is created.
-        kernel.grsecurity.audit_ptrace = 1
+        #kernel.grsecurity.audit_ptrace = 1
 
         #  If you say Y here, all attempts to attach to a process via ptrace
         #  will be logged.  If the sysctl option is enabled, a sysctl option
@@ -297,7 +297,6 @@
         #  This could suggest a fork bomb, or someone attempting to overstep
         #  their process limit.  If the sysctl option is enabled, a sysctl option
         #  with name "forkfail_logging" is created.
-        #kernel.grsecurity.forkfail_logging = 1
         kernel.grsecurity.forkfail_logging = 1
 
         #  If you say Y here, any changes of the system clock will be logged.
@@ -329,7 +328,7 @@
         kernel.grsecurity.dmesg = 1
 
         # Hide symbol addresses in /proc/kallsyms
-        #kernel.kptr_restrict = 2
+        kernel.kptr_restrict = 2
 
         #  If you say Y here, TTY sniffers and other malicious monitoring
         #  programs implemented through ptrace will be defeated.  If you
@@ -365,7 +364,7 @@
         #  same way, allowing the other threads of the process to continue
         #  running with root privileges.  If the sysctl option is enabled,
         #  a sysctl option with name "consistent_setxid" is created.
-        kernel.grsecurity.consistent_setxid = 0
+        kernel.grsecurity.consistent_setxid = 1
 
         #  If you say Y here, access to overly-permissive IPC objects (shared
         #  memory, message queues, and semaphores) will be denied for processes
@@ -383,7 +382,7 @@
         #  CAP_IPC_OWNER are still permitted to access these IPC objects.
         #  If the sysctl option is enabled, a sysctl option with name
         #  "harden_ipc" is created.
-        kernel.grsecurity.harden_ipc = 0
+        kernel.grsecurity.harden_ipc = 1
 
         #  If you say Y here, you will be able to choose a gid to add to the
         #  supplementary groups of users you want to mark as "untrusted."
@@ -391,7 +390,7 @@
         #  root-owned directories writable only by root.  If the sysctl option
         #  is enabled, a sysctl option with name "tpe" is created.
         kernel.grsecurity.tpe = 1
-        kernel.grsecurity.tpe_gid = 4
+        kernel.grsecurity.tpe_gid = 100
 
         #  If you say Y here, the group you specify in the TPE configuration will
         #  decide what group TPE restrictions will be *disabled* for.  This
@@ -555,13 +554,13 @@
         #  be unable to connect to other hosts from your machine or run server
         #  applications from your machine.  If the sysctl option is enabled, a
         #  sysctl option with name "socket_all" is created.
-        kernel.grsecurity.socket_all = 0
+        kernel.grsecurity.socket_all = 1
 
         #  Here you can choose the GID to disable socket access for. Remember to
         #  add the users you want socket access disabled for to the GID
         #  specified here.  If the sysctl option is enabled, a sysctl option
         #  with name "socket_all_gid" is created.
-        #kernel.grsecurity.socket_all_gid = 202
+        kernel.grsecurity.socket_all_gid = 200
 
         #  If you say Y here, you will be able to choose a GID of whose users will
         #  be unable to connect to other hosts from your machine, but will be
diff --git a/core/toolchain.html b/core/toolchain.html
index e4a8f84..b5d4bb1 100644
--- a/core/toolchain.html
+++ b/core/toolchain.html
@@ -2,13 +2,13 @@
 
     
         
-        2.2.1. Toolchain
+        2.2.3. Toolchain
     
     
 
         Core OS Index
 
-        
    2.2.1. Toolchain
    
+        
    2.2.3. Toolchain
    
 
         
    Add flags to pkgmk configuration and change specific ports that
         don't build with hardening flags. More information about
diff --git a/tools/conf/etc/asound.conf b/tools/conf/etc/asound.conf
new file mode 100644
index 0000000..adbae67
--- /dev/null
+++ b/tools/conf/etc/asound.conf
@@ -0,0 +1 @@
+defaults.ctl.card 1;defaults.pcm.card 1;
diff --git a/tools/x.html b/tools/x.html
index ad5ea6d..027d58a 100644
--- a/tools/x.html
+++ b/tools/x.html
@@ -28,6 +28,8 @@
              xkeyboard-config
    +

    Fonts

    + 
             $ sudo prt-get depinst xorg-font-util \
              xorg-font-alias \
@@ -43,6 +45,7 @@
         
    From 6c37 collection;
    
 
         
    +        $ prt-get search otf- | xargs sudo prt-get depinst
         $ prt-get depinst otf-sourcecode
         
    
 
@@ -187,6 +190,9 @@
             gstreamer-vaapi \
             gst-plugins-base \
             gst-plugins-good \
+            gst-plugins-bad \
+            gst-plugins-ugly \
+            cmus \
             adwaita-icon-theme \
             dmenu \
             st \
-- 
cgit 1.4.1-2-gfad0


From 5ce31218b413faf6d860b03fc222b2e0b66f4aef Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Tue, 28 Feb 2017 19:39:47 +0000
Subject: core sysctl grsec socket gid 200+

---
 core/conf/sysctl.conf | 2 +-
 core/sysctl.html      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'core/conf')

diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index b0972e2..c421e59 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -550,7 +550,7 @@ kernel.grsecurity.socket_client = 1
 #  Remember to add the users you want client socket access disabled for to
 #  the GID specified here.  If the sysctl option is enabled, a sysctl
 #  option with name "socket_client_gid" is created.
-kernel.grsecurity.socket_client_gid = 15
+kernel.grsecurity.socket_client_gid = 201
 
 #  If you say Y here, you will be able to choose a GID of whose users will
 #  be unable to connect to other hosts from your machine, but will be
diff --git a/core/sysctl.html b/core/sysctl.html
index d85aca4..ac1a74b 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -574,7 +574,7 @@
         #  Remember to add the users you want client socket access disabled for to
         #  the GID specified here.  If the sysctl option is enabled, a sysctl
         #  option with name "socket_client_gid" is created.
-        kernel.grsecurity.socket_client_gid = 15
+        kernel.grsecurity.socket_client_gid = 201
 
         #  If you say Y here, you will be able to choose a GID of whose users will
         #  be unable to connect to other hosts from your machine, but will be
-- 
cgit 1.4.1-2-gfad0


From 40fc398cab05e1ae769554a50fb423ca38c3bfb6 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Wed, 1 Mar 2017 21:26:01 +0000
Subject: 6c37 ports configuration updated

---
 core/conf/ports/6c37-dropin.httpup |  5 +++++
 core/conf/ports/6c37.httpup        |  5 +++++
 core/configure.html                |  4 ++--
 core/package.html                  |  2 ++
 core/ports.html                    | 16 +++++++++-------
 5 files changed, 23 insertions(+), 9 deletions(-)
 create mode 100644 core/conf/ports/6c37-dropin.httpup
 create mode 100644 core/conf/ports/6c37.httpup

(limited to 'core/conf')

diff --git a/core/conf/ports/6c37-dropin.httpup b/core/conf/ports/6c37-dropin.httpup
new file mode 100644
index 0000000..6dfb3e2
--- /dev/null
+++ b/core/conf/ports/6c37-dropin.httpup
@@ -0,0 +1,5 @@
+# Collection 6c37-dropin, by camille at airmail dot cc
+# File generated by the CRUX portdb http://crux.nu/portdb/
+
+ROOT_DIR=/usr/ports/6c37-dropin
+URL=https://raw.githubusercontent.com/6c37/crux-ports-dropin/3.3/
diff --git a/core/conf/ports/6c37.httpup b/core/conf/ports/6c37.httpup
new file mode 100644
index 0000000..dbc9422
--- /dev/null
+++ b/core/conf/ports/6c37.httpup
@@ -0,0 +1,5 @@
+# Collection 6c37, by kori at openmailbox dot org
+# File generated by the CRUX portdb http://crux.nu/portdb/
+
+ROOT_DIR=/usr/ports/6c37
+URL=https://raw.githubusercontent.com/6c37/crux-ports/3.2/
diff --git a/core/configure.html b/core/configure.html
index b6b3fb5..6349b65 100644
--- a/core/configure.html
+++ b/core/configure.html
@@ -52,7 +52,7 @@

    Edit /etc/hosts to contain your hostname and FQDN, - this example uses c9.core and c9.root.cx sub-domain from + this example uses c9.core and c9.root.sx sub-domain from afraid.org pointing to 10.0.0.1 ip;

    @@ -62,7 +62,7 @@ 127.0.0.1 c9.core c9 #<ip-address> <hostname.domain.org> <aliases> - 10.0.0.1 c9.root.cx + 10.0.0.1 c9.root.sx # IPv6 #::1 ip6-localhost ip6-loopback diff --git a/core/package.html b/core/package.html index 327029e..21415ae 100644 --- a/core/package.html +++ b/core/package.html @@ -136,6 +136,7 @@ # 6c37 team provides a collection with freetype-iu, fontconfig-iu # and cairo-iu ports. + prtdir /usr/ports/6c37-dropin prtdir /usr/ports/6c37 @@ -143,6 +144,7 @@ 
             $ sudo ports -u c9-ports
+        $ sudo ports -u 6c37-dropin
         $ sudo ports -u 6c37
    diff --git a/core/ports.html b/core/ports.html index 9662e43..6a5e4a8 100644 --- a/core/ports.html +++ b/core/ports.html @@ -155,6 +155,15 @@ # note: the order matters: the package found first is used prtdir /usr/ports/core + + # ports described on this documentation + prtdir /usr/ports/c9-ports + + # 6c37 team provides a collection with freetype-iu, fontconfig-iu + # and cairo-iu ports. + prtdir /usr/ports/6c37 + prtdir /usr/ports/6c37-dropin + prtdir /usr/ports/opt prtdir /usr/ports/xorg @@ -164,13 +173,6 @@ # the following line enables the user maintained contrib collection prtdir /usr/ports/contrib - # ports described on this documentation - #prtdir /usr/ports/c9-ports - - # 6c37 team provides a collection with freetype-iu, fontconfig-iu - # and cairo-iu ports. - #prtdir /usr/ports/6c37 - ### use mypackage form local directory # prtdir /home/packages/build:mypackage -- cgit 1.4.1-2-gfad0 From 079066bc153f3a6fe84b5da0b8fa8e584641b46d Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 1 Mar 2017 21:27:03 +0000 Subject: overall revision --- core/conf/iptables/iptables-lan.sh | 578 +++++++++++++++++++------------------ core/configure.html | 1 + core/grsecurity.html | 7 +- core/reboot.html | 2 +- core/toolchain.html | 19 ++ dev/php/index.html | 23 +- legal/index.html | 2 +- tools/conf/etc/nginx/nginx.conf | 13 +- tools/conf/etc/rc.d/git-daemon | 42 +++ tools/gitolite.html | 23 +- tools/network.html | 7 +- tools/nginx.html | 19 ++ tools/nmap.html | 2 +- tools/scripts/pkgmk-test.conf | 2 +- tools/scripts/setup-nginx.sh | 22 +- tools/x.html | 3 +- 16 files changed, 443 insertions(+), 322 deletions(-) create mode 100755 tools/conf/etc/rc.d/git-daemon (limited to 'core/conf') diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh index 58d92c3..491bc3b 100644 --- a/core/conf/iptables/iptables-lan.sh +++ b/core/conf/iptables/iptables-lan.sh @@ -1,322 +1,336 @@ #!/bin/sh -#------------------------------------------------------------------------------ # -# File: iptables_mint17.sh +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# + +# | +# v +# +-------------+ +------------------+ +# |table: filter| <---+ | table: nat | +# |chain: INPUT | | | chain: PREROUTING| +# +-----+-------+ | +--------+---------+ +# | | | +# v | v +# [local process] | **************** +--------------+ +# | +---------+ Routing decision +------> |table: filter | +# v **************** |chain: FORWARD| +# **************** +------+-------+ +# Routing decision | +# **************** | +# | | +# v **************** | +# +-------------+ +------> Routing decision <---------------+ +# |table: nat | | **************** +# |chain: OUTPUT| | + +# +-----+-------+ | | +# | | v +# v | +-------------------+ +# +--------------+ | | table: nat | +# |table: filter | +----+ | chain: POSTROUTING| +# |chain: OUTPUT | +--------+----------+ +# +--------------+ | +# v +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX # -# http://www.hardenedlinux.org +# iptables [-t table] {-A|-C|-D} chain rule-specification # -# Reference: Ruslan Abuzant , http://www.hackersgarage.com/ -# Changed by: Silvino Silva +# iptables [-t table] {-A|-C|-D} chain rule-specification # -# License: GNU GPL (version 2, or any later version). +# iptables [-t table] -I chain [rulenum] rule-specification # -# Configuration. -#------------------------------------------------------------------------------ - -# For debugging use iptables -v. -IPTABLES="/usr/sbin/iptables" -IP6TABLES="/usr/sbin/ip6tables" -MODPROBE="/sbin/modprobe" -RMMOD="/sbin/rmmod" -ARP="/usr/sbin/arp" - -# NIC interfaces -NIC_NAME="enp8s0 wlp7s0" - -# Logging options. -#------------------------------------------------------------------------------ -LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options" - - -# Defaults for rate limiting -#------------------------------------------------------------------------------ -RLIMIT="-m limit --limit 3/s --limit-burst 8" - - -# Unprivileged ports. -#------------------------------------------------------------------------------ -PHIGH="1024:65535" -PSSH="1000:1023" - - -# Load required kernel modules -#------------------------------------------------------------------------------ -$MODPROBE ip_conntrack_ftp -$MODPROBE ip_conntrack_irc - - -# Mitigate ARP spoofing/poisoning and similar attacks. -#------------------------------------------------------------------------------ -# Hardcode static ARP cache entries here -# $ARP -s IP-ADDRESS MAC-ADDRESS - - -# Default policies. -#------------------------------------------------------------------------------ - -# Drop everything by default. -$IPTABLES -P INPUT DROP -$IPTABLES -P FORWARD DROP -$IPTABLES -P OUTPUT DROP - -# Set the nat/mangle/raw tables' chains to DROP - -$IPTABLES -t mangle -P PREROUTING ACCEPT -$IPTABLES -t mangle -P INPUT ACCEPT -$IPTABLES -t mangle -P FORWARD ACCEPT -$IPTABLES -t mangle -P OUTPUT ACCEPT -$IPTABLES -t mangle -P POSTROUTING ACCEPT - -# Cleanup. -#------------------------------------------------------------------------------ - -# Delete all -$IPTABLES -F -$IPTABLES -t mangle -F - -# Delete all -$IPTABLES -X -$IPTABLES -t mangle -X - -# Zero all packets and counters. -$IPTABLES -Z -$IPTABLES -t mangle -Z - -# Completely disable IPv6. -#------------------------------------------------------------------------------ - -# Block all IPv6 traffic -# If the ip6tables command is available, try to block all IPv6 traffic. -#if test -x $IP6TABLES; then -# Set the default policies -# drop everything -#$IP6TABLES -P INPUT DROP -#$IP6TABLES -P FORWARD DROP -#$IP6TABLES -P OUTPUT DROP +# iptables [-t table] -R chain rulenum rule-specification +# +# iptables [-t table] -D chain rulenum # -## The mangle table can pass everything -#$IP6TABLES -t mangle -P PREROUTING ACCEPT -#$IP6TABLES -t mangle -P INPUT ACCEPT -#$IP6TABLES -t mangle -P FORWARD ACCEPT -#$IP6TABLES -t mangle -P OUTPUT ACCEPT -#$IP6TABLES -t mangle -P POSTROUTING ACCEPT - -# Delete all rules. -#$IP6TABLES -F 2>/dev/null -#$IP6TABLES -t mangle -F 2>/dev/null +# iptables [-t table] -S [chain [rulenum]] # -## Delete all chains. -#$IP6TABLES -X 2>/dev/null -#$IP6TABLES -t mangle -X 2>/dev/null +# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] # -## Zero all packets and counters. -#$IP6TABLES -Z 2>/dev/null -#$IP6TABLES -t mangle -Z 2>/dev/null -#fi - -# Custom user-defined chains. -#------------------------------------------------------------------------------ - -# LOG packets, then ACCEPT. -$IPTABLES -N ACCEPTLOG -$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT " -$IPTABLES -A ACCEPTLOG -j ACCEPT - -# LOG packets, then DROP. -$IPTABLES -N DROPLOG -$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP " -$IPTABLES -A DROPLOG -j DROP - -# LOG packets, then REJECT. -# TCP packets are rejected with a TCP reset. -$IPTABLES -N REJECTLOG -$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT " -$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset -$IPTABLES -A REJECTLOG -j REJECT - -# Allow loopback interface to do anything. -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A OUTPUT -o lo -j ACCEPT - - -# Only allows RELATED ICMP types -# (destination-unreachable, time-exceeded, and parameter-problem). -# TODO: Rate-limit this traffic? -# TODO: Allow fragmentation-needed? -# TODO: Test. -$IPTABLES -N RELATED_ICMP -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT -$IPTABLES -A RELATED_ICMP -j DROPLOG - -# Make It Even Harder To Multi-PING -$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT -$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP: -$IPTABLES -A INPUT -p icmp -j DROP -$IPTABLES -A OUTPUT -p icmp -j ACCEPT +# iptables [-t table] -N chain +# +# iptables [-t table] -X [chain] +# +# iptables [-t table] -P chain target +# +# iptables [-t table] -E old-chain-name new-chain-name +# +# rule-specification = [matches...] [target] +# +# match = -m matchname [per-match-options] +# +# +# Targets +# +# can be a user defined chain +# +# ACCEPT - accepts the packet +# DROP - drop the packet on the floor +# QUEUE - packet will be stent to queue +# RETURN - stop traversing this chain and +# resume ate the next rule in the +# previeus (calling) chain. +# +# if packet reach the end of the chain or +# a target RETURN, default policy for that +# chain is applayed. +# +# Target Extensions +# +# AUDIT +# CHECKSUM +# CLASSIFY +# DNAT +# DSCP +# LOG +# Torn on kernel logging, will print some +# some information on all matching packets. +# Log data can be read with dmesg or syslogd. +# This is a non-terminating target and a rule +# should be created with matching criteria. +# +# --log-level level +# Level of logging (numeric or see sys- +# log.conf(5) +# +# --log-prefix prefix +# Prefix log messages with specified prefix +# up to 29 chars log +# +# --log-uid +# Log the userid of the process with gener- +# ated the packet +# NFLOG +# This target pass the packet to loaded logging +# backend to log the packet. One or more userspace +# processes may subscribe to the group to receive +# the packets. +# +# ULOG +# This target provides userspace logging of maching +# packets. One or more userspace processes may then +# then subscribe to various multicast groups and +# then receive the packets. +# +# +# Commands +# +# -A, --append chain rule-specification +# -C, --check chain rule-specification +# -D, --delete chain rule-specification +# -D, --delete chain rulenum +# -I, --insert chain [rulenum] rule-specification +# -R, --replace chain rulenum rule-specification +# -L, --list [chain] +# -P, --policy chain target +# +# Parameters +# +# -p, --protocol protocol +# tcp, udp, udplite, icmp, esp, ah, sctp, all +# -s, --source address[/mask][,...] +# -d, --destination address[/mask][,...] +# -j, --jump target +# -g, --goto chain +# -i, --in-interface name +# -o, --out-interface name +# -f, --fragment +# -m, --match options module-name +# iptables can use extended packet matching +# modules. +# -c, --set-counters packets bytes + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" +PUB_IF="wlp7s0" +DHCP_SERV="192.168.1.1" +PUB_IP="192.168.1.33" +PRIV_IF="br0" + +modprobe ip_conntrack +modprobe ip_conntrack_ftp + +echo "Stopping ipv4 firewall and deny everyone..." + +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -t raw -F +iptables -t raw -X +iptables -t security -F +iptables -t security -X + + +echo "Starting ipv4 firewall filter table..." + +# Set Default Rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# Unlimited on local +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT + +# Block sync +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Block Fragments +$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " +$IPT -A INPUT -f -j DROP + +# Block bad stuff +$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + +$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + +##### Add your AP rules below ###### + +echo 1 > /proc/sys/net/ipv4/ip_forward + +$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT +$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT + +$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} +$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT +$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT +# +##### Server rules below ###### -# Only allow the minimally required/recommended parts of ICMP. Block the rest. -#------------------------------------------------------------------------------ +#echo "Allow ICMP" +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT -# TODO: This section needs a lot of testing! +#echo "Allow DNS Server" +#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT -# First, drop all fragmented ICMP packets (almost always malicious). -$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG -$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG -$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG +echo "Allow HTTP and HTTPS server" +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow all ESTABLISHED ICMP traffic. -$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT -$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT +#echo "Allow ssh server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -# Allow some parts of the RELATED ICMP traffic, block the rest. -$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT -$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT +##### Add your rules below ###### -# Allow incoming ICMP echo requests (ping), but only rate-limited. -$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT +echo "Allow DNS Client" -# Allow outgoing ICMP echo requests (ping), but only rate-limited. -$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Drop any other ICMP traffic. -$IPTABLES -A INPUT -p icmp -j DROPLOG -$IPTABLES -A OUTPUT -p icmp -j DROPLOG -$IPTABLES -A FORWARD -p icmp -j DROPLOG +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Selectively allow certain special types of traffic. -#------------------------------------------------------------------------------ +echo "Allow Whois Client" -# Allow incoming connections related to existing allowed connections. -$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow outgoing connections EXCEPT invalid -$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +echo "Allow HTTP Client" -# Miscellaneous. -#------------------------------------------------------------------------------ +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# We don't care about Milkosoft, Drop SMB/CIFS/etc.. -# ^ greedyevilsoft -$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP -$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +echo "Allow Rsync Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT -# Explicitly drop invalid incoming traffic -$IPTABLES -A INPUT -m state --state INVALID -j DROP +echo "Allow POP3S Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT -# Drop invalid outgoing traffic, too. -$IPTABLES -A OUTPUT -m state --state INVALID -j DROP +echo "Allow SMTPS Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT -# If we would use NAT, INVALID packets would pass - BLOCK them anyways -$IPTABLES -A FORWARD -m state --state INVALID -j DROP +echo "Allow NTP Client" +$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT -# PORT Scanners (stealth also) -$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP -$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -# TODO: Some more anti-spoofing rules? For example: -$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG +echo "Allow IRC Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT -$IPTABLES -N SYN_FLOOD -$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD -$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN +echo "Allow Active FTP Client" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPTABLES -A SYN_FLOOD -j DROP +echo "Allow Git" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT -#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7 -#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +echo "Allow ssh client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " -#$IPTABLES -A INPUT -f -j DROP -$IPTABLES -A INPUT -f -j DROPLOG +#echo "Allow Passive Connections" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT -# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... -# Selectively allow certain inbound connections, block the rest. -#------------------------------------------------------------------------------ +# echo "Allow FairCoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow Dashcoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow warzone2100" +# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT +# +# echo "Allow wesnoth" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT -# Allow incoming SSH requests. -#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT +##### END your rules ############ +# Less log of known traffic -# Allow incoming https server -#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT +# RIP protocol +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP +# DHCP +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT -# Selectively allow certain outbound connections, block the rest. -#------------------------------------------------------------------------------ -# +# log everything else and drop +$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " +$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " +$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -# Allow ping -$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to ssh clients -$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow to dns -$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow irc -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to xmmp -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to rsync server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to pop3s server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to smtps server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ntp server -$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ftp server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to https server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to http server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - -# Selectively allow certain outbound server connections, block the rest. -#------------------------------------------------------------------------------ - -# Allow from https server -#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT - -# Allow from dns server -#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT - -# Explicitly log and reject everything else. -#------------------------------------------------------------------------------ -# Use REJECT instead of REJECTLOG if you don't need/want logging. -$IPTABLES -A INPUT -j DROPLOG -$IPTABLES -A OUTPUT -j DROPLOG -$IPTABLES -A FORWARD -j REJECTLOG - -# Counter hits - -#for i in $NIC_NAME -#do -# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set -# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP -#done - -#------------------------------------------------------------------------------ -# Testing the firewall. -#------------------------------------------------------------------------------ - -# You should check/test that the firewall really works, using -# iptables -vnL, nmap, ping, telnet, ... - -# Exit gracefully. -#------------------------------------------------------------------------------ exit 0 diff --git a/core/configure.html b/core/configure.html index 6349b65..b3ca259 100644 --- a/core/configure.html +++ b/core/configure.html @@ -253,6 +253,7 @@ pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=100,defaults 0 0 UUID=36e9e1d5-8356-451e-a301-81098b9a15ea /srv ext4 defaults,nodev,errors=remount-ro 0 0 UUID=cd15196a-69f1-4fb4-9730-a384c62add91 /home ext4 defaults,nodev,nosuid,errors=remount-ro 0 0 + #UUID=04f07488ce7b36205acc6d404dcf924643660ac5 # End of file diff --git a/core/grsecurity.html b/core/grsecurity.html index 30ee28c..48ac2b2 100644 --- a/core/grsecurity.html +++ b/core/grsecurity.html @@ -15,7 +15,7 @@ port kernel, for manual configuration check linux kernel. Configuration is not enable by default, groups with special permissions and other - protections are set with sysctl.html;

    + protections are set with sysctl;

    @@ -56,6 +56,11 @@
    Deny server sockets to this group.
    +

    At run time you can change some configurations;

    + + 
    +        # cat /proc/sys/kernel/grsecurity/what_ever_setting
+

    Kernel configuration related to grsecurity;

    diff --git a/core/reboot.html b/core/reboot.html index c60265a..aa45a0f 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -99,7 +99,7 @@ # grub-probe --target=hints_string / -

    Rescue iso

    +

    1.4.3.1. Rescue iso

    Simple way to have "resque" system is to mount boot as read only, this assures that even as root nothing can be changed without remount. diff --git a/core/toolchain.html b/core/toolchain.html index b5d4bb1..04b58e3 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -74,6 +74,25 @@ export LDFLAGS="" +

    Openssl

    + +

    Replace openssl by libressl, view if + libressl port from 6c37-dropin is updated with + latest libressl upstream. First install libressl + to ensure it gets all the sources; + + 

    +        $ sudo prt-get depinst libressl
+
    + +

    After complaining about openssl files remove openssl; + + 

    +        $ sudo prt-get remove openssl
+        $ sudo prt-get depinst libressl
+
    + +

    libcap

      diff --git a/dev/php/index.html b/dev/php/index.html index 2a44270..a4549f1 100644 --- a/dev/php/index.html +++ b/dev/php/index.html @@ -9,10 +9,31 @@

      c9 PHP

      + +

      Hello World

      + +

      PHP comes with a built in server that helps to speed up + developing by not having to configure a system web server, + first create file index.php;

      + + 
      +        <?php
+           echo "Hello World";
+
      + +

      Now run the server;

      + + 
      +        $ php -S localhost:8000
+
      + +

      Open your browser and browse http://localhost:8000, + you should see "Hello World".

      + Development Index

      This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.

      diff --git a/legal/index.html b/legal/index.html index 0912ad8..677a540 100644 --- a/legal/index.html +++ b/legal/index.html @@ -19,7 +19,7 @@
      • Brasil
        • -
      • Portugal
        • +
      • Portugal (lost case, completed owned by corporations interests)
      Documentation Index diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index ddbdee6..8fca293 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -3,7 +3,7 @@ # -user nginx; +user www; worker_processes auto; error_log /var/log/nginx/error.log; @@ -20,16 +20,6 @@ http { include mime.types; default_type application/octet-stream; - ## - # SSL Settings - ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - # ssl on; - ssl_certificate /etc/ssl/certs/nginx.crt; - ssl_certificate_key /etc/ssl/keys/nginx.key; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; @@ -40,6 +30,7 @@ http { sendfile on; #tcp_nopush on; + client_max_body_size 8M; keepalive_timeout 65; client_body_timeout 12; client_header_timeout 12; diff --git a/tools/conf/etc/rc.d/git-daemon b/tools/conf/etc/rc.d/git-daemon new file mode 100755 index 0000000..8aa9d81 --- /dev/null +++ b/tools/conf/etc/rc.d/git-daemon @@ -0,0 +1,42 @@ +#!/bin/sh + +SSD=/sbin/start-stop-daemon +NAME=git-daemon +PROG=$(git --exec-path)/${NAME} +USER=www +GROUP=www +PIDFILE=/var/run/git-daemon.pid +OPTS="--verbose --reuseaddr --base-path=/srv/gitolite/repositories" + +case $1 in + start) + echo "Starting ${NAME}..." + $SSD --start \ + --pidfile ${PIDFILE} \ + --exec ${PROG} -- ${OPTS} \ + --detach --pid-file=${PIDFILE} \ + --user=${USER} --group=${GROUP} + + ;; + stop) + echo "Stopping ${NAME}..." + $SSD --stop --quiet --name git-daemon \ + --pidfile ${PIDFILE} + ;; + restart) + echo "Restarting ${NAME}..." + $0 stop + $0 start + ;; + status) + $SSD --status --pidfile $PIDFILE + case $? in + 0) echo "$PROG is running with pid $(cat $PIDFILE )" ;; + 3) echo "$PROG is not running" ;; + 4) echo "Unable to determine the program status" ;; + esac + ;; + *) + echo "usage: $0 [start|stop|restart|status]" + ;; +esac diff --git a/tools/gitolite.html b/tools/gitolite.html index ab1ad3a..a275c23 100644 --- a/tools/gitolite.html +++ b/tools/gitolite.html @@ -552,24 +552,35 @@

      5.2. Configure nginx

      -

      Edit /etc/rc.d/fcgiwrap to run as nginx user member of gitolite - and www group;

      +

      Edit /etc/rc.d/fcgiwrap to run as www user member of www group;

      -        USER=nginx
-        GROUP=nginx
+        USER=www
+        GROUP=www
      +

      Permissions for /srv/gitolite/repositories directories should be + 0750/drwxr-x---.

      + 
      -        # usermod -G www,gitolite nginx
+        $ chown gitolite:www /srv/gitolite
+        $ chown -R gitolite:www /srv/gitolite/projects.list
+        $ chown -R gitolite:www /srv/gitolite/repositories
      -

      Create link from gitweb to web server folder;

      +

      A link from gitweb don't work under grsecurity since user www can't + follow simlink to root. Make a copy, later deploy via gitolite hook.

      +

      Link;

               # ln -s /usr/share/gitweb /srv/www
      +

      Copy;

      + 
      +        # cp -r /usr/share/gitweb /srv/www
+
      +

      Add this to default or main nginx virtual host;

      diff --git a/tools/network.html b/tools/network.html index 9cf5395..c4e99f6 100644 --- a/tools/network.html +++ b/tools/network.html @@ -22,15 +22,12 @@ generate cron job to update ip every 5 minutes, check about dynamic interface. To run as system cron job add as root and remove path line from example;

      - 
      -        PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
-
      - 
               # crontab -e
      -

      Example from afraid uses curl and will log output to /tmp/freedns*

      +

      Example from afraid uses curl and will log output to /tmp/freedns*, + change to /var/log/freedns

      Bridges

      diff --git a/tools/nginx.html b/tools/nginx.html index 6d4f355..a85cf0e 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -43,6 +43,25 @@

      2. Certificates

      +

      2.1. Lets encrypt

      + +

      Example of nginx location block on public pmwiki setup;

      + + 
      +        #ACME challenge
+        location ^~ /.well-known {
+              allow all;
+              alias /srv/www/c9-pmwiki/pub/cert/.well-known/;
+              default_type "text/plain";
+              try_files $uri =404;
+        }
+
      + + 
      +        # certbot certonly --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
+
      + +

      2.2. Self certificate

      Certificates allow a more secure connection. Lets create self-signed certificate;

      diff --git a/tools/nmap.html b/tools/nmap.html index c07ec0f..c3d5316 100644 --- a/tools/nmap.html +++ b/tools/nmap.html @@ -24,7 +24,7 @@

      Or by hostname;

      -        # nmap -v c9.root.cx
+        # nmap -v c9.root.sx

      Check OS and version detection;

      diff --git a/tools/scripts/pkgmk-test.conf b/tools/scripts/pkgmk-test.conf index 623c52c..db9978d 100644 --- a/tools/scripts/pkgmk-test.conf +++ b/tools/scripts/pkgmk-test.conf @@ -22,7 +22,7 @@ case ${PKGMK_ARCH} in ;; esac -PKGMK_SOURCE_MIRRORS=(https://c9.root.cx/ports/distfiles/) +PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/) # PKGMK_SOURCE_DIR="$PWD" # PKGMK_PACKAGE_DIR="$PWD" # PKGMK_WORK_DIR="$PWD/work" diff --git a/tools/scripts/setup-nginx.sh b/tools/scripts/setup-nginx.sh index decacc1..11065d2 100644 --- a/tools/scripts/setup-nginx.sh +++ b/tools/scripts/setup-nginx.sh @@ -1,16 +1,16 @@ #!/bin/sh -. `dirname $0`/config-install.sh - -prt-get depinst nginx - -cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ - -mkdir /srv/www -chown nginx:www /srv/www - -usermod -a -G www nginx -usermod -m -d /srv/www nginx +#. `dirname $0`/config-install.sh +# +#prt-get depinst nginx +# +#cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ +# +#mkdir /srv/www +#chown www:www /srv/www +# +#usermod -a -g www nginx +#usermod -m -d /srv/www nginx openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048 openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr diff --git a/tools/x.html b/tools/x.html index 027d58a..8a68c5b 100644 --- a/tools/x.html +++ b/tools/x.html @@ -36,13 +36,14 @@ xorg-font-dejavu-ttf \ xorg-font-cursor-misc \ xorg-font-misc-misc \ + console-font-terminus \ + xorg-font-terminus \ xorg-font-mutt-misc $ prt-get search xorg-font-bitstream | xargs sudo prt-get depinst $ prt-get search xorg-font-bh | xargs sudo prt-get depinst -

      From 6c37 collection;

               $ prt-get search otf- | xargs sudo prt-get depinst
-- 
cgit 1.4.1-2-gfad0


From 65167272a3ba52dc4d032a1c60a9ff030408047d Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Wed, 2 Aug 2017 01:01:58 +0100
Subject: first hardened test

---
 core/conf/pkgmk.conf                            |    9 +-
 core/conf/prt-get.conf                          |   19 +-
 core/conf/sysctl.conf                           |    2 +-
 core/network.html                               |    6 +
 core/scripts/act-chroot.sh                      |   18 +-
 core/scripts/setup-install.sh                   |  217 +---
 core/scripts/setup-target.sh                    |  229 +++-
 dev/c/index.html                                |   90 +-
 tools/conf/etc/fonts/local.conf                 | 1542 +++++++++++++++++++++++
 tools/conf/etc/iptables/iptables-br.sh          |  318 +++++
 tools/conf/etc/iptables/vlan.v4                 |  228 ++--
 tools/conf/etc/nginx/sites-enabled/default.conf |   86 +-
 tools/conf/etc/ssh/sshd_config                  |   30 +-
 tools/nginx.html                                |    8 +-
 tools/qemu.html                                 |   80 +-
 tools/scripts/pkgmk-test.conf                   |    8 +-
 tools/scripts/pkgmk-test.sh                     |    2 +-
 17 files changed, 2499 insertions(+), 393 deletions(-)
 mode change 100644 => 100755 core/scripts/setup-install.sh
 mode change 100644 => 100755 core/scripts/setup-target.sh
 create mode 100644 tools/conf/etc/fonts/local.conf
 create mode 100644 tools/conf/etc/iptables/iptables-br.sh

(limited to 'core/conf')

diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf
index 4ef372e..6949fa7 100644
--- a/core/conf/pkgmk.conf
+++ b/core/conf/pkgmk.conf
@@ -2,9 +2,10 @@
 # /etc/pkgmk.conf: pkgmk(8) configuration
 #
 
-export CFLAGS="-O2 -march=native -mtune=native"
+export CPPFLAGS="-D_FORTIFY_SOURCE=2"
+export CFLAGS="-O2 -march=native -mtune=native -pipe -fPIC -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check"
 export CXXFLAGS="${CFLAGS}"
-
+export LDFLAGS="-fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
 export MAKEFLAGS="-j4"
 
 case ${PKGMK_ARCH} in
@@ -22,7 +23,9 @@ case ${PKGMK_ARCH} in
 		;;
 esac
 
-#PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
+PKGMK_SOURCE_MIRRORS=(https://crux.nu/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(https://crux.ster.zone/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/)
 PKGMK_SOURCE_DIR="/usr/ports/distfiles"
 PKGMK_PACKAGE_DIR="/usr/ports/packages"
 PKGMK_WORK_DIR="/usr/ports/work/$name"
diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf
index 0504d3e..e210ca8 100644
--- a/core/conf/prt-get.conf
+++ b/core/conf/prt-get.conf
@@ -5,20 +5,19 @@
 # note: the order matters: the package found first is used
 prtdir /usr/ports/core
 prtdir /usr/ports/opt
+prtdir /usr/ports/contrib
+prtdir /usr/ports/c9-ports
 prtdir /usr/ports/xorg
 
+# 6c37 team provides a collection with freetype-iu, fontconfig-iu
+# and cairo-iu ports.
+
 # the following line enables the multilib compat-32 collection
 #prtdir /usr/ports/compat-32
 
 # the following line enables the user maintained contrib collection
-prtdir /usr/ports/contrib
-
-# ports described on this documentation
-#prtdir /usr/ports/c9-ports
-
-# 6c37 team provides a collection with freetype-iu, fontconfig-iu
-# and cairo-iu ports.
-#prtdir /usr/ports/6c37
+prtdir /usr/ports/6c37-dropin
+prtdir /usr/ports/6c37
 
 ### use mypackage form local directory
 # prtdir /home/packages/build:mypackage
@@ -38,7 +37,7 @@ logfile  /usr/ports/pkgbuild/%n-%v-%r.log
 readme verbose           # (verbose|compact|disabled)
 
 ### prefer higher versions in sysup / diff
-#preferhigher yes      # (yes|no)
+preferhigher no     # (yes|no)
 
 ### use regexp search
 # useregex no        # (yes|no)
@@ -51,7 +50,7 @@ runscripts yes            # (no|yes)
 ### EXPERT SECTION ###
 
 ### alternative commands
-makecommand      sudo -H -u pkgmk -g pkgmk fakeroot pkgmk
+makecommand      sudo -H -u pkgmk -g users fakeroot pkgmk
 addcommand       sudo pkgadd
 removecommand    sudo pkgrm
 runscriptcommand sudo sh
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index c421e59..4606791 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -374,7 +374,7 @@ kernel.grsecurity.tpe_gid = 100
 #  users on the system.  If the sysctl option is enabled, a sysctl option
 #  with name "tpe_invert" is created.  Unlike other sysctl options, this
 #  entry will default to on for backward-compatibility.
-kernel.grsecurity.tpe_invert = 1
+kernel.grsecurity.tpe_invert = 0
 
 #  If you say Y here, all non-root users will be covered under
 #  a weaker TPE restriction.  This is separate from, and in addition to,
diff --git a/core/network.html b/core/network.html
index 4f1f20a..92f0e1e 100644
--- a/core/network.html
+++ b/core/network.html
@@ -138,6 +138,12 @@
         # sh /etc/rc.d/iptables start
      +

      See current rules and packets;

      + + 
      +        # iptables -L -n -v | less
+
      +

      Copy init script, edit if you dont like to let drop when you call stop.

      diff --git a/core/scripts/act-chroot.sh b/core/scripts/act-chroot.sh index f8ae571..5411bc5 100644 --- a/core/scripts/act-chroot.sh +++ b/core/scripts/act-chroot.sh @@ -21,15 +21,15 @@ BLK_HOME="${DEV}8" #read CHROOT CHROOT="/mnt" -mount $BLK_ROOT $CHROOT - -mount $BLK_BOOT $CHROOT/boot -mount $BLK_EFI $CHROOT/boot/efi - -mount $BLK_VAR $CHROOT/var -mount $BLK_USR $CHROOT/usr -mount $BLK_PRT $CHROOT/usr/ports -mount $BLK_HOME $CHROOT/home +#mount $BLK_ROOT $CHROOT +# +#mount $BLK_BOOT $CHROOT/boot +#mount $BLK_EFI $CHROOT/boot/efi +# +#mount $BLK_VAR $CHROOT/var +#mount $BLK_USR $CHROOT/usr +#mount $BLK_PRT $CHROOT/usr/ports +#mount $BLK_HOME $CHROOT/home #mount -vt devpts devpts $CHROOT/dev/pts #mount -vt tmpfs shm $CHROOT/dev/shm diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh old mode 100644 new mode 100755 index 0e0a720..c1d2765 --- a/core/scripts/setup-install.sh +++ b/core/scripts/setup-install.sh @@ -1,24 +1,9 @@ -#!/bin/sh +#!/bin/bash # Set Global Vars ADMIN_USER=c9admin DEV=$1 - -CHROOT="/mnt" -##read BLK_EFI -BLK_EFI="${DEV}2" -##read BLK_BOOT -BLK_BOOT="${DEV}3" -##read BLK_ROOT -BLK_ROOT="${DEV}4" -##read BLK_VAR -BLK_VAR="${DEV}5" -##read BLK_USR -BLK_USR="${DEV}6" -##read BLK_SWP -BLK_SWP="${DEV}7" -##read BLK_HOME -BLK_HOME="${DEV}8" +CHROOT=$2 # Absolute path to this script, # e.g. /home/user/c9-doc/core/scripts/foo.sh @@ -57,133 +42,37 @@ ConfirmOrExit () } -setup_target () { - echo "1.1.2 Creating File System on $BLK_EFI with fat32:" - mkfs.fat -F 32 $BLK_EFI - echo "1.1.2 Creating File System on $BLK_BOOT with ext4:" - mkfs.ext4 $BLK_BOOT - echo "1.1.2 Creating File System on $BLK_ROOT with ext4:" - mkfs.ext4 $BLK_ROOT - echo "1.1.2 Creating File System on $BLK_VAR with ext4:" - mkfs.ext4 $BLK_VAR - echo "1.1.2 Creating File System on $BLK_USR with ext4:" - mkfs.ext4 $BLK_USR - echo "1.1.2 Creating Swap File System on $BLK_SWP:" - mkswap $BLK_SWP - echo "1.1.2 Creating File System on $BLK_HOME with ext4:" - mkfs.ext4 $BLK_HOME - - echo "1.1.3 mount point to chroot (/mnt):\n" - mount $BLK_ROOT $CHROOT - - mkdir -p $CHROOT/boot - mount $BLK_BOOT $CHROOT/boot - mkdir -p $CHROOT/boot/efi - mount $BLK_EFI $CHROOT/boot/efi - mkdir -p $CHROOT/var - mount $BLK_VAR $CHROOT/var - mkdir -p $CHROOT/usr - mount $BLK_USR $CHROOT/usr - mkdir -p $CHROOT/home - mount $BLK_HOME $CHROOT/home - - - mkdir -p $CHROOT/dev - mkdir -p $CHROOT/tmp - mkdir -p $CHROOT/proc - mkdir -p $CHROOT/sys - - mkdir -p $CHROOT/var/lib/pkg - mkdir -p $CHROOT/usr/ports - - mkdir -p $CHROOT/media - - mount --bind /dev $CHROOT/dev - mount -vt devpts devpts $CHROOT/dev/pts - mount -vt tmpfs shm $CHROOT/dev/shm - mount -vt proc proc $CHROOT/proc - mount -vt sysfs sysfs $CHROOT/sys - - modprobe isofs - modprobe loop - mount -o loop $ISO_FILE $CHROOT/media -} - -install_packages() { +install_core() { echo "1.1.4 Create core.lst and install pkgadd" - for p in $CHROOT/media/crux/core/*; do echo $p >> $CHROOT/core.lst; done + for p in ${CHROOT}mnt/media/crux/core/*; do echo $p >> ${CHROOT}core.lst; done - tar xf "$CHROOT/media/crux/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > $CHROOT/pkgadd + tar xf "${CHROOT}mnt/media/crux/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}pkgadd - chmod +x $CHROOT/pkgadd + chmod +x ${CHROOT}pkgadd echo "1.1.4 File core.lst complete, review list of packages before continue..." read PAUSE - vim $CHROOT/core.lst + vim ${CHROOT}core.lst echo "1.1.4 Starting install" - touch $CHROOT/var/lib/pkg/db + touch ${CHROOT}/var/lib/pkg/db cd $CHROOT while read line; do echo "Installing $line;\n" - $CHROOT/pkgadd -f -r $CHROOT $line - done < core.lst + ${CHROOT}pkgadd -u -f -r ${CHROOT} ${line} + done < ${CHROOT}core.lst - rm $CHROOT/pkgadd - rm $CHROOT/core.lst + rm ${CHROOT}pkgadd + rm ${CHROOT}core.lst - echo "1.1.5. Install extra packages;" - - mkdir $CHROOT/usr/ports/packages - cp $CHROOT/media/crux/core/* $CHROOT/usr/ports/packages - cp $CHROOT/media/crux/opt/* $CHROOT/usr/ports/packages - cp $CHROOT/media/crux/xorg/* $CHROOT/usr/ports/packages + mkdir ${CHROOT}usr/ports/packages + cp ${CHROOT}media/crux/core/* ${CHROOT}usr/ports/packages - echo "Installing $CHROOT/usr/ports/packages/fakeroot" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/fakeroot#* - echo "Installing $CHROOT/usr/ports/packages/dbus" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dbus#* - echo "Installing $CHROOT/usr/ports/packages/expat" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/expat#* - echo "Installing $CHROOT/usr/ports/packages/libnl" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libnl#* - echo "Installing $CHROOT/usr/ports/packages/libpng" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libpng#* - echo "Installing $CHROOT/usr/ports/packages/freetype" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/freetype#* - echo "Installing $CHROOT/usr/ports/packages/libffi" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libffi#* - echo "Installing $CHROOT/usr/ports/packages/sqlite3" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/sqlite3#* - echo "Installing $CHROOT/usr/ports/packages/python" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/python#* - echo "Installing $CHROOT/usr/ports/packages/glib" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/glib#* - echo "Installing $CHROOT/usr/ports/packages/grub2" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2#* - echo "Installing $CHROOT/usr/ports/packages/grub2-efi" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2-efi#* - echo "Installing $CHROOT/usr/ports/packages/wireless-tools" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wireless-tools#* - echo "Installing $CHROOT/usr/ports/packages/wpa_supplicant" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wpa_supplicant#* - echo "Installing $CHROOT/usr/ports/packages/lvm2" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/lvm2#* - echo "Installing $CHROOT/usr/ports/packages/mdadm" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/mdadm#* - echo "Installing $CHROOT/usr/ports/packages/efivar" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efivar#* - echo "Installing $CHROOT/usr/ports/packages/efibootmgr" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efibootmgr#* - echo "Installing $CHROOT/usr/ports/packages/dosfstools" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dosfstools#* - - echo "1.1.6. Install extra ports;\n" +} - mkdir $CHROOT/usr/ports/c9-ports - cp -r $DIR_PRT/* $CHROOT/usr/ports/c9-ports/ +setup_core() { echo "1.1.7. dns resolver, copy resolv.conf;\n" cp /etc/resolv.conf $CHROOT/etc @@ -193,9 +82,6 @@ install_packages() { echo "1.1.9. Install Skeletons\n" cp -r $DIR_CONF/skel $CHROOT/etc/ -} - -host_metadata() { echo "1.2.1. Set hostname and hosts;" cp $DIR_CONF/hosts $CHROOT/etc/ @@ -229,9 +115,6 @@ host_metadata() { cp $DIR_CONF/rc.conf $CHROOT/etc/ vim $CHROOT/etc/rc.conf -} - -setup_ports() { echo "1.3.1. Build as unprivileged user;" chroot $CHROOT /usr/bin/env -i \ @@ -284,18 +167,59 @@ setup_ports() { #vim $CHROOT/etc/prt-get.conf } -echo "SCRIPT=$SCRIPT"; -echo "SCRIPTPATH=$SCRIPTPATH"; +install_packages() { -echo "Device: $DEV\n" + echo "1.1.5. Install extra packages;" + cp $CHROOT/media/crux/opt/* $CHROOT/usr/ports/packages + cp $CHROOT/media/crux/xorg/* $CHROOT/usr/ports/packages -echo "1.1.2 EFI block; ($BLK_EFI)" -echo "1.1.2 boot block; ($BLK_BOOT)" -echo "1.1.2 root block; ($BLK_ROOT)" -echo "1.1.2 var block; ($BLK_VAR)" -echo "1.1.2 usr block; ($BLK_USR)" -echo "1.1.2 swap block; ($BLK_SWP)" -echo "1.1.2 home block; ($BLK_HOME)\n" + echo "Installing $CHROOT/usr/ports/packages/fakeroot" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/fakeroot#* + echo "Installing $CHROOT/usr/ports/packages/dbus" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dbus#* + echo "Installing $CHROOT/usr/ports/packages/expat" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/expat#* + echo "Installing $CHROOT/usr/ports/packages/libnl" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libnl#* + echo "Installing $CHROOT/usr/ports/packages/libpng" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libpng#* + echo "Installing $CHROOT/usr/ports/packages/freetype" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/freetype#* + echo "Installing $CHROOT/usr/ports/packages/libffi" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libffi#* + echo "Installing $CHROOT/usr/ports/packages/sqlite3" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/sqlite3#* + echo "Installing $CHROOT/usr/ports/packages/python" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/python#* + echo "Installing $CHROOT/usr/ports/packages/glib" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/glib#* + echo "Installing $CHROOT/usr/ports/packages/grub2" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2#* + echo "Installing $CHROOT/usr/ports/packages/grub2-efi" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2-efi#* + echo "Installing $CHROOT/usr/ports/packages/wireless-tools" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wireless-tools#* + echo "Installing $CHROOT/usr/ports/packages/wpa_supplicant" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wpa_supplicant#* + echo "Installing $CHROOT/usr/ports/packages/lvm2" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/lvm2#* + echo "Installing $CHROOT/usr/ports/packages/mdadm" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/mdadm#* + echo "Installing $CHROOT/usr/ports/packages/efivar" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efivar#* + echo "Installing $CHROOT/usr/ports/packages/efibootmgr" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efibootmgr#* + echo "Installing $CHROOT/usr/ports/packages/dosfstools" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dosfstools#* + + echo "1.1.6. Install extra ports;\n" + + mkdir $CHROOT/usr/ports/c9-ports + cp -r $DIR_PRT/* $CHROOT/usr/ports/c9-ports/ + +} +echo "SCRIPT=$SCRIPT"; +echo "SCRIPTPATH=$SCRIPTPATH"; echo "ADMIN_USER="$ADMIN_USER"\n" echo "CHROOT=$CHROOT"; @@ -307,9 +231,8 @@ echo "ISO_FILE=$ISO_FILE"; ConfirmOrExit echo "press enter to continue" read -setup_target -install_packages -host_metadata -setup_ports +install_core +#setup_core +#install_packages echo "Ready to chroot $CHROOT /bin/bash \n" diff --git a/core/scripts/setup-target.sh b/core/scripts/setup-target.sh old mode 100644 new mode 100755 index 6931fe9..d46d4bb --- a/core/scripts/setup-target.sh +++ b/core/scripts/setup-target.sh @@ -1,5 +1,36 @@ #!/bin/sh +DEV=/dev + +SETUP_TARGET="print" +CHROOT="/mnt" + +# Absolute path to this script, e.g. /home/user/bin/foo.sh +SCRIPT=$(readlink -f "$0") +# Absolute path this script is in, thus /home/user/bin +SCRIPTPATH=$(dirname "$SCRIPT") + +DIR=$(dirname "$SCRIPTPATH"); +DIR_LOCAL="$(dirname $(dirname ${DIR}))/local"; + +ISO_FILE="${DIR_LOCAL}/crux-3.3.iso" + +##read BLK_EFI +BLK_EFI="${DEV}2" +##read BLK_BOOT +BLK_BOOT="${DEV}3" +##read BLK_ROOT +BLK_ROOT="${DEV}4" +##read BLK_VAR +BLK_VAR="${DEV}5" +##read BLK_USR +BLK_USR="${DEV}6" +##read BLK_SWP +BLK_SWP="${DEV}7" +##read BLK_HOME +BLK_HOME="${DEV}8" + + # First we define the function ConfirmOrExit () { @@ -19,31 +50,173 @@ ConfirmOrExit () echo "You entered $CONFIRM. Continuing ..." } -DEV=$1 - -echo "Device: $DEV\n" -ConfirmOrExit - -parted --script $DEV \ - mklabel gpt \ - unit mib \ - mkpart primary 1 3 \ - name 1 grub \ - set 1 bios_grub on \ - mkpart ESP fat32 3 125 \ - name 2 efi \ - set 2 boot on \ - mkpart primary ext4 125 1128 \ - name 3 boot \ - mkpart primary ext4 1128 5128 \ - name 4 root \ - mkpart primary ext4 5128 6128 \ - name 5 var \ - mkpart primary ext4 6128 14128 \ - name 6 usr \ - mkpart primary linux-swap 14128 18128 \ - name 7 swap \ - mkpart primary ext4 18128 100% \ - name 8 home - -exit 0; + +partition_target () { + + parted --script $DEV \ + mklabel gpt \ + unit mib \ + mkpart primary 1 3 \ + name 1 grub \ + set 1 bios_grub on \ + mkpart ESP fat32 3 125 \ + name 2 efi \ + set 2 boot on \ + mkpart primary ext4 125 1128 \ + name 3 boot \ + mkpart primary ext4 1128 5128 \ + name 4 root \ + mkpart primary ext4 5128 6128 \ + name 5 var \ + mkpart primary ext4 6128 14128 \ + name 6 usr \ + mkpart primary linux-swap 14128 18128 \ + name 7 swap \ + mkpart primary ext4 18128 100% \ + name 8 home +} + +mount_target () { + echo "1.1.2 Creating File System on $BLK_EFI with fat32:" + mkfs.fat -F 32 $BLK_EFI + echo "1.1.2 Creating File System on $BLK_BOOT with ext4:" + mkfs.ext4 $BLK_BOOT + echo "1.1.2 Creating File System on $BLK_ROOT with ext4:" + mkfs.ext4 $BLK_ROOT + echo "1.1.2 Creating File System on $BLK_VAR with ext4:" + mkfs.ext4 $BLK_VAR + echo "1.1.2 Creating File System on $BLK_USR with ext4:" + mkfs.ext4 $BLK_USR + echo "1.1.2 Creating Swap File System on $BLK_SWP:" + mkswap $BLK_SWP + echo "1.1.2 Creating File System on $BLK_HOME with ext4:" + mkfs.ext4 $BLK_HOME + + echo "1.1.3 mount point to chroot (/mnt):\n" + mount $BLK_ROOT $CHROOT + + mkdir -p $CHROOT/boot + mount $BLK_BOOT $CHROOT/boot + + mkdir -p $CHROOT/boot/efi + mount $BLK_EFI $CHROOT/boot/efi + + mkdir -p $CHROOT/var + mount $BLK_VAR $CHROOT/var + + mkdir -p $CHROOT/usr + mount $BLK_USR $CHROOT/usr + + mkdir -p $CHROOT/home + mount $BLK_HOME $CHROOT/home + + mkdir -p $CHROOT/var/lib/pkg + mkdir -p $CHROOT/usr/ports + + mkdir -p $CHROOT/media + + mkdir -p $CHROOT/dev + mkdir -p $CHROOT/tmp + mkdir -p $CHROOT/proc + mkdir -p $CHROOT/sys + +} + +directory_target () { + + mkdir -p $CHROOT/home + mkdir -p $CHROOT/boot/efi + mkdir -p $CHROOT/var/lib/pkg + mkdir -p $CHROOT/usr/ports + + mkdir -p $CHROOT/media + + mkdir -p $CHROOT/dev + mkdir -p $CHROOT/tmp + mkdir -p $CHROOT/proc + mkdir -p $CHROOT/sys + +} + + +enable_target () { + + mount --bind /dev $CHROOT/dev + mount -vt devpts devpts $CHROOT/dev/pts + mount -vt tmpfs shm $CHROOT/dev/shm + mount -vt proc proc $CHROOT/proc + mount -vt sysfs sysfs $CHROOT/sys + + modprobe isofs + modprobe loop + mount -o loop $ISO_FILE $CHROOT/media +} + +print_target() { + echo "Device: $DEV" + echo "CHROOT: $CHROOT" + echo "ISO_FILE: $ISO_FILE" + echo "Option Selected: $SETUP_TARGET\n" + + echo "1.1.2 EFI block; ($BLK_EFI)" + echo "1.1.2 boot block; ($BLK_BOOT)" + echo "1.1.2 root block; ($BLK_ROOT)" + echo "1.1.2 var block; ($BLK_VAR)" + echo "1.1.2 usr block; ($BLK_USR)" + echo "1.1.2 swap block; ($BLK_SWP)" + echo "1.1.2 home block; ($BLK_HOME)\n" + + +} + +print_help() { + echo "usage: setup_target [options]" + echo "options:" + echo " -p, --partition create partitions and file systems" + echo " -m, --mount mount partitions on chroot" + echo " -d, --directory keep temporary working directory" + echo " -e, --enable enable chroot (proc,dev, sys...)" + echo " -v, --view view environment vars and exit" + echo " -h, --help print help and exit" +} + + +while [ "$1" ]; do + case $1 in + -p|--partition) + SETUP_TARGET="partition" + print_target + ConfirmOrExit + partition_target + exit 0 ;; + -m|--mount) + SETUP_TARGET="mount" + print_target + ConfirmOrExit + mount_target + exit 0 ;; + -d|--directory) + SETUP_TARGET="directory" + print_target + ConfirmOrExit + directory_target + exit 0 ;; + -e|--enable) + SETUP_TARGET="enable" + print_target + ConfirmOrExit + enable_target + exit 0 ;; + -v|--view) + SETUP_TARGET="view" + print_target + exit 0 ;; + -h|--help) + print_help + exit 0 ;; + *) + echo "setup-target: invalid option $1" + exit 1 ;; + esac + shift +done diff --git a/dev/c/index.html b/dev/c/index.html index 09374c6..684c7d2 100644 --- a/dev/c/index.html +++ b/dev/c/index.html @@ -7,6 +7,92 @@ Development Index +

      System Development

      + +

      System development requires debug kernel know how, + in this example will be used qemu and gdb. A simple init + program is created. Create init.S;

      + + 
      +	.global _start
+	_start:
+	    mov $1, %rax
+	    mov $1, %rdi
+	    mov $message, %rsi
+	    mov $message_len, %rdx
+	    syscall
+	    jmp .
+	    message: .ascii "FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR\n"
+	    .equ message_len, . - message
+
      + +

      Assemble, link and create simple initial ram disk;

      + + 
      +	mkdir d
+	as --64 -o init.o init.S # assemble
+	ld -o d/init init.o      # link
+	cd d
+	find . | cpio -o -H newc | gzip > ../rootfs.cpio.gz
+
      + +

      Clean temporary directory;

      + + 
      +	cd ..
+	rm -r d/
+
      + +

      Can be used C to create init program;

      + + 
      +	#include <stdio.h>
+	#include <unistd.h>
+
+	int main() {
+	    printf("FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR\n");
+	    sleep(0xFFFFFFFF);
+	    return 0;
+	}
+
      + + 
      +	$ gcc -static init.c -o init
+
      + +

      Test qemu, kernel and simple init program, you should see + "FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR";

      + + 
      +	$ qemu-system-x86_64 -enable-kvm --kernel arch/x86_64/boot/bzImage \
+    	--initrd rootfs.cpio.gz
+
      + +

      If everything goes well you can start qemu without start CPU at + startup (-S) and with gdb server on TCP port 1234 (-s).

      + + 
      +	$ qemu-system-x86_64 -enable-kvm --kernel arch/x86/boot/bzImage \
+                --initrd rootfs.cpio.gz \
+		-S -s
+
      + +

      On another terminal start gdb;

      + + 
      +	gdb \
+	    -ex "add-auto-load-safe-path $(pwd)" \
+	    -ex "file vmlinux" \
+	    -ex 'set arch i386:x86-64:intel' \
+	    -ex 'target remote localhost:1234' \
+	    -ex 'break start_kernel' \
+	    -ex 'continue' \
+	    -ex 'disconnect' \
+	    -ex 'set arch i386:x86-64' \
+	    -ex 'target remote localhost:1234'
+
      + +

      C & GDB

      C program with autotools @@ -74,7 +160,7 @@ thread 1 -

      Stopping and Starting +

      Stopping and Starting multi-thread programs

      @@ -86,8 +172,6 @@
         
               strace -c ./program
         
      
-
-
         Development Index
         
      
         This is part of the c9-doc Manual.
diff --git a/tools/conf/etc/fonts/local.conf b/tools/conf/etc/fonts/local.conf
new file mode 100644
index 0000000..64dc276
--- /dev/null
+++ b/tools/conf/etc/fonts/local.conf
@@ -0,0 +1,1542 @@
+
+
+
+
+	
+
+	
+
+	
+	
+		
+			96
+		
+	
+
+	
+	
+	
+	true
+	
+	
+
+	
+	
+	
+	unknown
+	
+	
+	rgb
+	
+	
+
+	
+
+	
+
+	
+	
+		
+		
+			Franklin Gothic Medium
+			Frutiger Linotype
+			
+			Lucida Sans Unicode
+		
+		
+		
+			13.4
+		
+		
+		
+			medium
+		
+		
+		
+			roman
+		
+		
+		
+			false
+		
+
+	
+
+	
+	
+	
+	
+	Comic Sans MS
+	
+	
+	15
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+		
+			Georgia
+			Lucida Sans
+			Lucida Sans Typewriter
+			
+			Microsoft Sans Serif
+			
+			Tahoma
+			Trebuchet MS
+			Verdana
+		
+		
+			16.1
+		
+		
+			medium
+		
+		
+			roman
+		
+		
+		
+			false
+		
+	
+
+	
+	
+		
+			Arial
+			Arial Narrow
+			Berling Antiqua
+			Book Antiqua
+			Bookman Old Style
+			Garamond
+			
+			Lucida Console
+			Palatino Linotype
+			SylfaenARM
+			Times New Roman
+		
+		
+			17.4
+		
+		
+			medium
+		
+		
+			roman
+		
+		
+			false
+		
+	
+
+	
+	
+	
+	Century Gothic
+	Kartika
+	
+	
+	21.4
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Vrinda
+	
+	
+	23
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Courier New
+	
+	
+	29.4
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Georgia
+	
+	
+	12
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Tahoma
+	Verdana
+	
+	
+	13.4
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Courier New
+	
+	
+	16
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+
+	
+	
+		
+			hintfull
+		
+	
+
+	
+	
+		
+			Bitstream Charter
+			Courier 10 Pitch
+			DejaVu Sans Condensed
+			DejaVu Serif Condensed
+			FreeMono
+			FreeSans
+			FreeSerif
+			Luxi Mono
+			Luxi Sans
+			Luxi Serif
+			MgOpen Canonica
+			MgOpen Cosmetica
+			MgOpen Modata
+			MgOpen Moderna
+			URW Bookman L
+			URW Chancery L
+			URW Gothic L
+			URW Palladio L
+		
+		
+		
+			true
+		
+	
+
+	
+	
+	
+	Arial
+	
+	
+	12
+	
+	
+	13.4
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	true
+	
+	
+
+	
+	
+	
+	Book Antiqua
+	
+	
+	16
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	true
+	
+	
+
+	
+	
+	
+	
+	Frutiger Linotype
+	
+	Times New Roman
+	
+	Verdana
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	true
+	
+	
+
+	
+	
+	
+	
+	7
+	
+	
+	7
+	
+	
+
+	
+	
+	
+	9.4
+	
+	
+	9.4
+	
+	
+
+	
+
+	
+	
+	
+	Arial
+	
+	
+	10.7
+	
+	
+	medium
+	
+	
+	10.7
+	
+	
+
+	
+	
+	
+	
+	0
+	
+	
+	
+	
+	true
+	
+	
+
+	
+
+	
+	
+		
+			Bitstream Charter
+		
+		
+			serif
+		
+	
+
+	
+		
+			Bitstream Vera Sans
+		
+		
+			sans
+		
+	
+	
+	
+	
+		
+			DejaVu Sans
+		
+		
+			sans
+		
+	
+
+	
+	
+	DejaVu Sans Condensed
+	
+	
+	Arial
+	
+	
+
+	
+	
+	
+	
+		
+			Helvetica
+		
+		
+			Sans
+		
+	
+
+	
+		
+			Helvetica Neue
+		
+		
+			Sans
+		
+	
+
+	
+		
+			Lucida
+		
+		
+			Arial
+		
+	
+
+	
+	
+	
+	LucidaBright
+	
+	
+	Arial
+	
+	
+
+	
+	
+	Lucida Bright
+	
+	
+	Arial
+	
+	
+
+	
+	
+	Luxi Sans
+	
+	
+	Arial
+	
+	
+
+	
+	
+	MgOpen Cosmetica
+	
+	
+	Arial
+	
+	
+
+	
+	
+	MgOpen Modata
+	
+	
+	Arial
+	
+	
+
+	
+	
+	MgOpen Moderna
+	
+	
+	Arial
+	
+	
+
+	
+	
+	System
+	
+	
+	Arial
+	
+	
+
+	
+	
+	URW Gothic L
+	
+	
+	Arial
+	
+	
+
+	
+	
+		
+			Verdana
+		
+		
+			Noto Sans
+		
+		
+			Open Sans
+		
+	
+	
+	
+	
+	
+	Bitstream Vera Serif
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	DejaVu Serif
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	DejaVu Serif Condensed
+	
+	
+	Georgia
+	
+	
+
+
+
+	
+	
+	Luxi Serif
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	MgOpen Canonica
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	New Century Schoolbook
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	New York
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	Palatino
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	Times
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	URW Bookman L
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	URW Palladio L
+	
+	
+	Georgia
+	
+	
+
+	
+	
+		
+			Andale Mono
+		
+		
+			monospace
+		
+	
+
+	
+		
+			Bitstream Vera Sans Mono
+		
+		
+			Courier New
+		
+	
+
+	
+		
+			Courier
+		
+		
+			monospace
+		
+	
+
+	
+		
+			DejaVu Sans Mono
+		
+		
+			monospace
+		
+	
+
+	
+	
+	Fixedsys
+	
+	
+	Courier New
+	
+	
+
+	
+
+	
+	
+	
+	LucidaTypewriter
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	Lucida Typewriter
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	Luxi Mono
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	Monaco
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	Terminal
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	
+	Apple Chancery
+	
+	
+	Comic Sans MS
+	
+	
+
+	
+	
+	Lucida Handwriting
+	
+	
+	Comic Sans MS
+	
+	
+
+	
+	
+	URW Chancery L
+	
+	
+	Comic Sans MS
+	
+	
+
+	
+	
+	Zapf Chancery
+	
+	
+	Comic Sans MS
+	
+	
+
+	
+	
+	
+	Copperplate
+	
+	
+	Impact
+	
+	
+
+	
+	
+	Desdemona
+	
+	
+	Impact
+	
+	
+
+	
+	
+	Kino
+	
+	
+	Impact
+	
+	
+
+	
+	
+	Techno
+	
+	
+	Impact
+	
+	
+
+	
+	
+	
+	
+	cursive
+	
+	Comic Sans MS
+	
+	
+
+	
+	fantasy
+	
+	Impact
+	
+	
+
+	
+
+	
+	
+	
+	
+		
+			Arial
+		
+		
+			12.0
+		
+		
+			droid sans
+		
+	
+	
+	
+	
+	
+		
+			Arial
+		
+		
+			13.0
+		
+		
+			noto sans
+		
+	
+	
+	
+	
+		
+			Arial
+		
+		
+			noto sans
+		
+	
+	
+	
+	
+		
+			Georgia
+		
+		
+			Noto Serif
+		
+	
+	
+	
+	
+	
+		
+			noto sans
+		
+		
+			true
+		
+		
+			hintfull
+		
+	
+	
+	
+	
+		
+			ubuntu
+		
+		
+			true
+		
+		
+			hintfull
+		
+	
+	
+	
+	
+		
+			Droid Sans
+			Droid Sans Mono
+		
+		
+			false
+		
+		
+			hintfull
+		
+	
+
+	
+	
+		
+			liberation mono
+		
+		
+			false
+		
+		
+			hintmedium
+		
+	
+	
+	
+
+	
+	
+	
+	
+	
+	
+		
+			noto sans
+		
+		
+			16
+		
+		
+			medium
+		
+		
+			true
+		
+		
+			hintslight
+		
+	
+	
+	
+	
+		
+			noto sans
+		
+		
+			16
+		
+		
+			medium
+		
+		
+			true
+		
+		
+			true
+		
+		
+			hintslight
+		
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+
+	
+	
+		
+			monospace
+		
+		
+			Droid Sans Mono
+		
+	
+
+	
+	
+		
+			sans-serif
+		
+		
+			Noto Sans
+		
+	
+
+	
+	
+		
+			Courier New
+		
+		
+			Droid Sans Mono
+		
+	
+
+
+
+
+
+
+	
+	
+		
+			Times New Roman
+			serif
+		
+		
+		
+			Noto Serif
+		
+	
+	
+	
+	
+	
+		
+			Lucida Grande
+		
+		
+			medium
+		
+		
+			hintslight
+		
+	
+
+	
+	
+	
+		
+			Lucida Console
+		
+		
+			true
+		
+		
+			false
+		
+		
+			hintfull
+		
+	
+	
+	
+	
+		
+			Open Sans
+		
+		
+			true
+		
+		
+			hintfull
+		
+	
+
+	
+
+	
+	
+	
+	
+		
+			hi
+		
+		
+			Lohit Hindi
+		
+	
+
+	
+	
+		
+			gargi
+			Lohit Hindi
+		
+		
+			true
+		
+		
+			true
+		
+		
+			hintslight
+		
+	
+
+	
+	
+		
+			mangal
+		
+		
+			Lohit Hindi
+		
+	 
+	
+
+
+ 
diff --git a/tools/conf/etc/iptables/iptables-br.sh b/tools/conf/etc/iptables/iptables-br.sh
new file mode 100644
index 0000000..104e574
--- /dev/null
+++ b/tools/conf/etc/iptables/iptables-br.sh
@@ -0,0 +1,318 @@
+#!/bin/sh
+
+#
+#                                XXXXXXXXXXXXXXXXX
+#                                XXXX Network XXXX
+#                                XXXXXXXXXXXXXXXXX
+#                                        +
+#                                        |
+#                                        v
+#  +-------------+              +------------------+
+#  |table: filter| <---+        | table: nat       |
+#  |chain: INPUT |     |        | chain: PREROUTING|
+#  +-----+-------+     |        +--------+---------+
+#        |             |                 |
+#        v             |                 v
+#  [local process]     |           ****************          +--------------+
+#        |             +---------+ Routing decision +------> |table: filter |
+#        v                         ****************          |chain: FORWARD|
+# ****************                                           +------+-------+
+# Routing decision                                                  |
+# ****************                                                  |
+#        |                                                          |
+#        v                        ****************                  |
+# +-------------+       +------>  Routing decision  <---------------+
+# |table: nat   |       |         ****************
+# |chain: OUTPUT|       |               +
+# +-----+-------+       |               |
+#       |               |               v
+#       v               |      +-------------------+
+# +--------------+      |      | table: nat        |
+# |table: filter | +----+      | chain: POSTROUTING|
+# |chain: OUTPUT |             +--------+----------+
+# +--------------+                      |
+#                                       v
+#                               XXXXXXXXXXXXXXXXX
+#                               XXXX Network XXXX
+#                               XXXXXXXXXXXXXXXXX
+#
+# iptables [-t table] {-A|-C|-D} chain rule-specification
+#
+# iptables [-t table] {-A|-C|-D} chain  rule-specification
+#
+# iptables  [-t table] -I chain [rulenum] rule-specification
+#
+# iptables [-t table] -R chain rulenum  rule-specification
+#
+# iptables [-t table] -D chain rulenum
+#
+# iptables [-t table] -S [chain [rulenum]]
+#
+# iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
+#
+# iptables [-t table] -N chain
+#
+# iptables [-t table] -X [chain]
+#
+# iptables [-t table] -P chain target
+#
+# iptables [-t table]  -E  old-chain-name  new-chain-name
+#
+# rule-specification = [matches...] [target]
+#
+# match = -m matchname [per-match-options]
+#
+#
+# Targets
+#
+# can be a user defined chain
+#
+# ACCEPT - accepts the packet
+# DROP   - drop the packet on the floor
+# QUEUE  - packet will be stent to queue
+# RETURN - stop traversing this chain and
+#          resume ate the next rule in the
+#          previeus (calling) chain.
+#
+# if packet reach the end of the chain or
+# a target RETURN, default policy for that
+# chain is applayed.
+#
+# Target Extensions
+#
+# AUDIT
+# CHECKSUM
+# CLASSIFY
+# DNAT
+# DSCP
+# LOG
+#     Torn on kernel logging, will print some
+#     some information on all matching packets.
+#     Log data can be read with dmesg or syslogd.
+#     This is a non-terminating target and a rule
+#     should be created with matching criteria.
+#
+#     --log-level level
+#           Level of logging (numeric or see sys-
+#           log.conf(5)
+#
+#     --log-prefix prefix
+#           Prefix log messages with specified prefix
+#           up to 29 chars log
+#
+#     --log-uid
+#           Log the userid of the process with gener-
+#           ated the packet
+# NFLOG
+#     This target pass the packet to loaded logging
+#     backend to log the packet. One or more userspace
+#     processes may subscribe to the group to receive
+#     the packets.
+#
+# ULOG
+#     This target provides userspace logging of maching
+#     packets. One or more userspace processes may then
+#     then subscribe to various multicast groups and
+#     then receive the packets.
+#
+#
+# Commands
+#
+# -A, --append chain rule-specification
+# -C, --check chain rule-specification
+# -D, --delete chain rule-specification
+# -D, --delete chain rulenum
+# -I, --insert chain [rulenum] rule-specification
+# -R, --replace chain rulenum rule-specification
+# -L, --list [chain]
+# -P, --policy chain target
+#
+# Parameters
+#
+# -p, --protocol protocol
+#       tcp, udp, udplite, icmp, esp, ah, sctp, all
+# -s, --source address[/mask][,...]
+# -d, --destination address[/mask][,...]
+# -j, --jump target
+# -g, --goto chain
+# -i, --in-interface name
+# -o, --out-interface name
+# -f, --fragment
+# -m, --match options module-name
+#       iptables can use extended packet matching
+#       modules.
+# -c, --set-counters packets bytes
+
+IPT="/usr/sbin/iptables"
+SPAMLIST="blockedip"
+SPAMDROPMSG="BLOCKED IP DROP"
+# public interface to network/internet
+PUB_IF="wlp7s0"
+DHCP_SERV="192.168.1.1"
+PUB_IP="192.168.1.33"
+NET_ADDR="192.168.1.0/24"
+# private interface for virtual/internal
+PRIV_IF="br0"
+PRIV_IP="10.0.0.1"
+
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+
+echo "Stopping ipv4 firewall and deny everyone..."
+
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t raw -F
+iptables -t raw -X
+iptables -t security -F
+iptables -t security -X
+
+
+echo "Starting ipv4 firewall filter table..."
+
+# Set Default Rules
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+###### AP rules  ######
+echo 1 > /proc/sys/net/ipv4/ip_forward
+$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
+$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT
+$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
+
+# Block sync
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+# Block Fragments
+$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
+$IPT -A INPUT -f -j DROP
+
+# Block bad stuff
+$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+
+$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+
+###### Input Chain ######
+
+# Unlimited on local
+$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
+#$IPT -A INPUT -i lo -s ${PRIV_IP} -j ACCEPT
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s 192.168.1.33 -d 192.168.1.33 -j ACCEPT
+
+echo "Allow input from DNS Server"
+$IPT -A INPUT -i ${PUB_IF} -p udp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from Https server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input to HTTPS Server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+#echo "Allow input from HTTP Server"
+#$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from IRC server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 6667 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from FTP server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 21 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from git server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from POP3S server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from SMTPS server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input to HTTP Server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+#echo "Allow input to DNS Server"
+#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53  -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+
+echo "Allow input to SSH server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+###### Output Chain ######
+
+# Unlimited on loopback
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 192.168.1.33 -d 192.168.1.33 -j ACCEPT
+#$IPT -A OUTPUT -o lo -d ${PRIV_IP} -j ACCEPT
+
+# Unlimited on local
+$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT
+
+echo "Allow output to DNS server"
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+
+echo "Allow output to https server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443  -j ACCEPT
+
+echo "Allow output from https server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+#echo "Allow output from http server"
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+#echo "Allow to HTTP server"
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to SSH server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to ftp server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to git server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to IRC  server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to SMTPS server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to POP3S server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+## less logs
+
+echo "Drop RIP protocol"
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s $NET_ADDR -j DROP
+
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT
+
+## log everything else and drop
+$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+#
+exit 0
diff --git a/tools/conf/etc/iptables/vlan.v4 b/tools/conf/etc/iptables/vlan.v4
index 9248630..7954521 100644
--- a/tools/conf/etc/iptables/vlan.v4
+++ b/tools/conf/etc/iptables/vlan.v4
@@ -1,170 +1,112 @@
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
 *security
-:INPUT ACCEPT [6:2056]
+:INPUT ACCEPT [85:6694]
 :FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [6:2056]
+:OUTPUT ACCEPT [3:179]
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Completed on Wed Mar 15 20:53:45 2017
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
 *raw
-:PREROUTING ACCEPT [7:2092]
-:OUTPUT ACCEPT [6:2056]
+:PREROUTING ACCEPT [97:7863]
+:OUTPUT ACCEPT [3:179]
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Completed on Wed Mar 15 20:53:45 2017
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
+*nat
+:PREROUTING ACCEPT [6:683]
+:INPUT ACCEPT [2:138]
+:OUTPUT ACCEPT [2:131]
+:POSTROUTING ACCEPT [2:131]
+COMMIT
+# Completed on Wed Mar 15 20:53:45 2017
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
 *mangle
-:PREROUTING ACCEPT [7:2092]
-:INPUT ACCEPT [6:2056]
+:PREROUTING ACCEPT [8:624]
+:INPUT ACCEPT [8:624]
 :FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [6:2056]
-:POSTROUTING ACCEPT [6:2056]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Completed on Wed Mar 15 20:53:45 2017
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
 *filter
 :INPUT DROP [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
+:ACCEPTLOG - [0:0]
+:DROPLOG - [0:0]
+:REJECTLOG - [0:0]
+:RELATED_ICMP - [0:0]
+:SYN_FLOOD - [0:0]
 -A INPUT -i lo -j ACCEPT
--A INPUT -i br0 -j ACCEPT
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
--A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
--A INPUT -f -j DROP
+-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT
+-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:"
+-A INPUT -p icmp -j DROP
+-A INPUT -p icmp -f -j DROPLOG
+-A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
+-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp -j DROPLOG
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+-A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+-A INPUT -m state --state INVALID -j DROP
+-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
 -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
--A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-#################################################################################
-#	INPUT
-#	Established connections and passive
-#
-
-# Allow established from dns server
-#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# INPUT accept passive
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT
-
-
-# Allow irc
--A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow xmmp
--A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-# Allow established from https server
--A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow established from http server
--A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from rsync server
--A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from pop3s server
--A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from smtps server
--A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from ntp server
--A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from whois server
--A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from ftp server
--A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-##################################################################################
-#	INPUT
-#	New and established connections to local servers
-#
-
-# allow ping
--A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-# INPUT accept to dns server
--A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-# INPUT accept from wlp7s0 to https server
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD
+-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
+-A INPUT -f -j DROPLOG
 -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-# INPUT accept from wlp7s0 to ssh server
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT
-
--A FORWARD -i br0 -j ACCEPT
-
--A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
--A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
-
-##################################################################################
-#	Output
-#	Connections to remote servers
-#
+-A INPUT -j DROPLOG
+-A FORWARD -p icmp -f -j DROPLOG
+-A FORWARD -p icmp -j DROPLOG
+-A FORWARD -m state --state INVALID -j DROP
+-A FORWARD -j REJECTLOG
 -A OUTPUT -o lo -j ACCEPT
--A OUTPUT -o br0 -j ACCEPT
-
-# Allow ping
--A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-# Allow to ssh clients
+-A OUTPUT -p icmp -j ACCEPT
+-A OUTPUT -p icmp -f -j DROPLOG
+-A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A OUTPUT -p icmp -j DROPLOG
+-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state INVALID -j DROP
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow to dns
-#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow from dns server
--A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow irc
+-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow xmmp
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-
-
-# Allow to rsync server
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to pop3s server
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to smtps server
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ntp server
 -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ftp server
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to https server
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to http server
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-##################################################################################
-#	Output
-#	Connections from local servers
-#
-
-
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
-
-
--A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
-COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
-*nat
-:PREROUTING ACCEPT [1:36]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-
--A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
--A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
-#-A POSTROUTING -o wlp7s0 -j MASQUERADE
-
+-A OUTPUT -j DROPLOG
+-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A ACCEPTLOG -j ACCEPT
+-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A DROPLOG -j DROP
+-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
+-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
+-A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
+-A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
+-A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
+-A RELATED_ICMP -j DROPLOG
+-A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN
+-A SYN_FLOOD -j DROP
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
+# Completed on Wed Mar 15 20:53:45 2017
diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf
index 4e01b88..f7c3484 100644
--- a/tools/conf/etc/nginx/sites-enabled/default.conf
+++ b/tools/conf/etc/nginx/sites-enabled/default.conf
@@ -1,49 +1,103 @@
-
 server {
+
+#listen 443 ssl http2;
     listen 443 ssl;
-    # listen [::]:443 ssl;
 
+#    listen 80;
     server_name c9.core;
 
-    root /srv/www/default;
+#  listen [::]:443 ssl http2;
+    ssl_certificate /etc/letsencrypt/live/c9.core/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/c9.core/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/c9.core/chain.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_prefer_server_ciphers on;
+    add_header Strict-Transport-Security max-age=15768000;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    access_log /var/log/nginx/access.log;
+    error_log  /var/log/nginx/error.log;
+
+
+    root /srv/www;
+
+    location /ports/distfiles {
+        alias /usr/ports/distfiles;
+    }
+
+    location /ports/packages {
+        alias /usr/ports/distfiles;
+    }
+
+    location /doc {
+        alias /srv/www/c9-doc;
+        index index.html;
+    }
 
-    location /distfiles {
-    	alias /usr/ports/distfiles;
+    location /git/static {
+# static files (png/css) served from /usr/share/gitweb/static
+        alias /srv/www/gitweb/static;
+        expires 30d;
     }
 
+    location /git {
+        alias /srv/www/gitweb;
+        index gitweb.cgi;
+        fastcgi_split_path_info      ^/git()(/?.+)$;
+        fastcgi_param GITWEB_CONFIG  /etc/gitweb.conf;
+        fastcgi_param DOCUMENT_ROOT  /srv/www/gitweb;
+        fastcgi_param SCRIPT_NAME    /gitweb.cgi$fastcgi_path_info;
 
-    location /bug {
+        include fastcgi_params;
+        fastcgi_pass unix:/var/run/fcgiwrap.sock;
+    }
+
+    location /task {
         index index.php;
-    	alias /srv/www/default/flyspray;
+        alias /srv/www/c9-flyspray;
         try_files $uri $uri/ index.php$is_args$args;
     }
 
-    location ~  ^/bug(.+\.php)$ { ### This location block was the solution
-    	alias /srv/www/default/flyspray;
-
-	fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    location ~  ^/task(.+\.php)$ { ### This location block was the solution
+        alias /srv/www/c9-flyspray;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;
         try_files $uri /index.php =404;	
         include /etc/nginx/fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$1;
-        # fastcgi_pass unix:/var/run/php5-fpm.sock;
+# fastcgi_pass unix:/var/run/php5-fpm.sock;
         fastcgi_pass 127.0.0.1:9000;
     }
 
     location / {
-    	alias /srv/www/default/pmwiki/;
-	index pmwiki.php
+        alias /srv/www/c9-pmwiki/;
+        index pmwiki.php;
         try_files $uri $uri/ /pmwiki.php$is_args$args;
     }
 
+# ACME challenge
+    location ^~ /.well-known {
+        allow all;
+        alias /srv/www/c9-pmwiki/pub/cert/.well-known/;
+        default_type "text/plain";
+        try_files $uri =404;
+    }
+
+
     location ~ \.php$ {
-    	alias /srv/www/default/pmwiki;
+        alias /srv/www/c9-pmwiki;
+        index pmwiki.php;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index pmwiki.php;
         try_files $uri /pmwiki.php =404;
         include /etc/nginx/fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        # fastcgi_pass unix:/var/run/php5-fpm.sock;
+# fastcgi_pass unix:/var/run/php5-fpm.sock;
         fastcgi_pass 127.0.0.1:9000;
     }
 }
diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config
index f0619fe..cba9be5 100644
--- a/tools/conf/etc/ssh/sshd_config
+++ b/tools/conf/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
+#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -16,45 +16,28 @@ AddressFamily inet
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-# The default requires explicit activation of protocol 1
-Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
 # Ciphers and keying
 #RekeyLimit default none
-Ciphers aes256-ctr,aes192-ctr,aes128-ctr
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 LogLevel VERBOSE
 
 # Authentication:
 
-LoginGraceTime 1m
+#LoginGraceTime 2m
 #PermitRootLogin prohibit-password
-PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
-MaxAuthTries 3
 #MaxSessions 10
 
-#RSAAuthentication yes
-PubkeyAuthentication yes
-
-AllowGroups admin users gitolite
+#PubkeyAuthentication yes
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
@@ -66,23 +49,19 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommandUser nobody
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
-PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
-ChallengeResponseAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -116,7 +95,6 @@ ChallengeResponseAuthentication no
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-UsePrivilegeSeparation sandbox
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
diff --git a/tools/nginx.html b/tools/nginx.html
index a85cf0e..ef78ecb 100644
--- a/tools/nginx.html
+++ b/tools/nginx.html
@@ -43,7 +43,7 @@
 
         
      2. Certificates
      
 
-        
      2.1. Lets encrypt
      
+        
      2.1. Lets encrypt
      
 
         
      Example of nginx location block on public pmwiki setup;
      
 
@@ -57,6 +57,12 @@
         }
      +

      First run dryrun to test if everything is ok;

      + + 
      +        # certbot certonly --dry-run --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
+
      + 
               # certbot certonly --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
      diff --git a/tools/qemu.html b/tools/qemu.html index c914d74..fc0f15c 100644 --- a/tools/qemu.html +++ b/tools/qemu.html @@ -234,11 +234,89 @@

      Set guests machines to run under the total resolution provided by host system configure grub on the guest with gfxmode;

      +

      Guest Graphics

      + +

      Get current resolution on host machine;

      + 
      -        GRUB_GFXMODE=640x480
+        $ xrandr --current | fgrep '*'
+            1366x768      60.00*+
+
      + +

      Set grub gfxmod on guest machine, edit /etc/default/grub;

      + + 
      +        GRUB_GFXMODE=1366x768
         GRUB_GFXPAYLOAD_LINUX=keep
      +

      Update grub configuration on guest machine;

      + + 
      +        # update-grub
+
      + +

      Guest Sound

      + +

      Check if DMAR is enable on kernel configuration, + Intel and AMD uses different technology. To check on + Inter machine run;

      + + 
      +	# grep -e DMAR -e IOMMU
+
      + +

      runvm/profile/crux

      + + 
      +        export QEMU_AUDIO_DRV=alsa
+        #export QEMU_AUDIO_DRV=sdl
+
+
+        #boot=$1
+        boot=c
+
+        iso=iso/crux-3.2.iso
+        #iso=$2
+
+        #image=$3
+        image=img/crux-img.qcow2
+
+        #tap=$4
+        tap="tap1"
+
+        #mac=$(rmac_addr)
+        mac="54:60:be:ef:5c:72"
+
+        other="-soundhw hda"
+
      + +

      runvm/runvm.sh

      + + 
      +        function rmac_addr (){
+        printf '54:60:BE:EF:%02X:%02X\n' $((RANDOM%256)) $((RANDOM%256))
+        }
+
+        source profile/$1
+        boot=$2
+
+        #mac=$(rmac_addr)
+
+        qemu-system-x86_64 \
+            -enable-kvm \
+            -m 1024 \
+            -boot ${boot} \
+            -cdrom ${iso} \
+            -hda ${image} \
+            -vga std \
+            -display sdl \
+            -device e1000,netdev=t0,mac=${mac} \
+            -netdev tap,id=t0,ifname=${tap},script=no,downscript=no \
+            ${other} \
+            &>
+
      + Tools Index

      This is part of the c9 Manual. Copyright (C) 2016 diff --git a/tools/scripts/pkgmk-test.conf b/tools/scripts/pkgmk-test.conf index db9978d..1ebdccb 100644 --- a/tools/scripts/pkgmk-test.conf +++ b/tools/scripts/pkgmk-test.conf @@ -2,11 +2,13 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # -export CFLAGS="-O2 -march=x86-64" +export CPPFLAGS="-D_FORTIFY_SOURCE=2" +export CFLAGS="-O2 -march=native -mtune=native -pipe -fPIC -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check" export CXXFLAGS="${CFLAGS}" - +export LDFLAGS="-fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" export MAKEFLAGS="-j4" + case ${PKGMK_ARCH} in "64"|"") ;; @@ -34,5 +36,3 @@ PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/) # PKGMK_WGET_OPTS="" # PKGMK_CURL_OPTS="" # PKGMK_COMPRESSION_MODE="gz" - - diff --git a/tools/scripts/pkgmk-test.sh b/tools/scripts/pkgmk-test.sh index 5509ac2..a279967 100644 --- a/tools/scripts/pkgmk-test.sh +++ b/tools/scripts/pkgmk-test.sh @@ -2,4 +2,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" CONF=${DIR}/pkgmk-test.conf -fakeroot pkgmk -cf $CONF -d $1 +fakeroot pkgmk -cf $CONF -d -is $1 -- cgit 1.4.1-2-gfad0